[1.7.x] Role-based authentication not working on Community

[thedoc31]

Hi,

I'm running a self-hosted Rundeck Community v4.8.0 which is not hosted in Amazon, and I want to switch to using role-based authentication rather than the less-secure access key/secret key method. I started with ec2-nodes-plugin 1.7.0, which failed with [1]. I updated the plugin to the latest 1.7.6 today, but I still see the same error. As far as I can tell, there's nowhere for me to configure a roleSessionName or a profile name. I'm assuming roleArn is using the value I've configured on the node source.

The documentation isn't much help here as it makes it seem like role-based auth should work the same as the access key/secret key. The role has the same permission policy as the user account did. Any ideas?

[1]

The Node Source had an error:
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: You must specify a value for roleArn and roleSessionName, com.amazonaws.auth.profile.ProfileCredentialsProvider@c8b684a: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@1cb9495a: Failed to connect to service endpoint: ]

[devzzm]

shame the author of this plugin doesn't support it

[thedoc31]

@chrismcg14 @carlosrfranco Could one of you please help get this verified/prioritized/tagged? It's been sitting for almost a year without any activity.

[carlosrfranco]

Hi @thedoc31. AFAIK, to get the credentials for the role using the assumeRole property, the aws client will try to connect to the aws provider using credentials that should be set via environment variables or java system properties as we can check in the error message: com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)). In this case, the error message says that it could not be found and then it was not possible to generate the credentials to the roleArn. Could you, please, check if you have those configuration set up in your environment?

[fdevans]

@thedoc31 - Are you still running 4.8.0? That version was towards the end of it's support at the original post. If you can provide steps to reproduce on the current version we may be able to offer more specific assistance.

[thedoc31]

@thedoc31 - Are you still running 4.8.0? That version was towards the end of it's support at the original post. If you can provide steps to reproduce on the current version we may be able to offer more specific assistance.

Currently on 4.16.0. Can't move to 4.17+ or 5.x yet because of Rundeck Issue 8574 and Rundeck Issue 9038. I can definitely give it another try, though I doubt it'll be that different on 4.16.0 than it was on 4.8.0.

For background on our architecture:
We have a Rundeck server running on a corporate VM farm. Each Rundeck project needs to pull node inventory from two different AWS accounts (stage, prod). Currently, we do that with an IAM user access key/secret key combo stored in two different credential configs for that project. I would like to switch that to use an IAM role so I don't have to worry about rotating the IAM user access keys/secret keys once per year (security policy).

When I remove the access key and secret key and specify the role I would like assumed, I receive the error message included above.

The server does not currently have a locally stored .aws/credentials file or .aws/config to use. Even if I did set up a profile for it, I'm not seeing anywhere in the config where I could say "use profile aws-account1 with this role". Since we have multiple AWS accounts, we'd need to set which profile name to assume for that config.