-
-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 - Profile with role_arn are not working #175
Comments
Can this be a duplicate of #159 ? I appreciate the explanation |
Hi,
Both covers different scenario (in respective order):
Let me know if you need more details, IAM can be hard to manage. |
I've seen that. It looks ok but I don't have enough knowledge on this Haskell library. The documentation in itself is relevant. However, the package is misleading: why is it in the network one? |
from what I gather this would work in the following way:
correct? |
also I don't think possible to run rome on EC2 (it requires Xcode) so I'm quite puzzle by #159 |
Yes it is, kind of. Actually, when you use STS (Security Token Service), it generates one additional parameter compared to "normal" access keys. You'll get a token. So, it's more:
It's what I can see from the library documentation, it seems you can specify the session rather than the access keys. See here On other languages such as Python, the official SDK provides that (boto3 is the official library provided by AWS) To show you TEMP_ACCESS_KEY=$(echo $FULL_SESSION_TOKEN | jq .Credentials.AccessKeyId) |
So would it be enough rome to support auth via Session? As far as I understand the session itself can be retrieved beforehand with the AWS CLI for example. Sorry I'm really not familiar with this part of aws. |
Would say no because it would not be userfriendly. Session last 1h in general. I know understading this part can be tricky and it takes time to get used to it, so no worries, you're not alone :) You should propose two approaches:
May you point me to the place in your code where you're managing current authentication (reading the access keys). I might provide better guidance :) |
Here is the bit: https://github.com/blender/Rome/blob/master/src/Lib.hs#L72
I don't think it would be hard for me to make an additional call honestly to get the new credentials from STS. |
Other questions: should ARN be:
|
My understanding is that you want to mimic the behavior of AWS CLI (as I can read in the README of the project). You can read this. So, to answer your question: role_arn should be in the ~/.aws/config file, under the AWS_PROFILE users will use for Rome. |
Do you an AWS account on which you are admin? I can provide guidance on how to create a role in order to help you try it. (while we use roles mainly for cross accounts, you can assume roles that are in the same account). |
Yes, I have a AWS account I can play around. I'll try to follow the tutorial you posted and see how far I get. Following the AWS CLI convention sounds solid. |
Ok, then, on a single account, you can do the following. Gather the information: Create the role
Use the role from the console
Use the role from the CLI
Please let me know. After your test, I recommend to delete this role. |
Thanks! I will follow your instructions. Unfortunately this completely breaks credentials discovery and I have to do it from scratch. About the discovery of the credentials, can you please validate the following:
|
Sorry for the delay. Please find my answers below.
[alexvan] Correct.
[alexvan] Correct.
[alexvan] I don't know. I've never used this kind of configuration.
[alexvan] I don't know. I've never used this kind of configuration.
[alexvan] I believe it's correct. However, I believe users could have different configurations.
[alexvan] Correct. Credentials are temporary access keys + secrets + token. However, you should manage the expiration (by default, it's one hour if I remember properly) My 2 cents: |
WIP at #179 |
This seems to work fine! Hopefully I didn't break any other mechanism and there are enough tests to prove that. |
Enhancement Suggestion / Bug Report
AWS recommends to use assume roles for cross-accounts management (which is the standard approach in a company). Rome can support profiles but the role_arn seems ignored and therefore, users get access denied.
Steps which explain the enhancement or reproduce the bug
For a matter of simplicity of repro steps, I give steps with admin rights while in real scenario, users would be granted only some roles and the roles would have less privileges too.
Note that this tutorial can be useful for people that are not used to this mechanism.
Current behavior
Access denied -> Rome doesn't seem to assume role.
The workaround is to create a shared service account on "account B" and to provide the access key to our users (we don't want to create user accounts on "account B"). This workaround is a bad practice.
Suggested behavior
Role should be assumed.
Why would the enhancement be useful to most users
This is how most organizations are/will be using AWS in production.
Rome version:
0.19.0.55 - Romam uno die non fuisse conditam.
OS and version:
MACOS, Mojave
OS is probably not important here.
The text was updated successfully, but these errors were encountered: