Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws/session: Add support for chaining source_profile with credential_source #2579

Merged
merged 4 commits into from
Jun 12, 2019
Merged

aws/session: Add support for chaining source_profile with credential_source #2579

merged 4 commits into from
Jun 12, 2019

Conversation

janario
Copy link
Contributor

@janario janario commented Apr 27, 2019
edited
Loading

We have a scenario where our the first access will assume one cross account role and after it assume roles for each operation

We tried with the aws cli and everything works fine, but we have some operations that will use the go-sdk (aws-iam-authenticator)

Our conf will be something like:

[profile CIRole]
region = eu-central-1
role_arn = CIRole
credential_source = Ec2InstanceMetadata
external_id = external_id

[profile EKSRole]
region = eu-central-1
role_arn = EKSRole
source_profile = CIRole

using the aws cli it works as expected

export AWS_PROFILE=EKSRole
aws sts get-caller-identity
{
    "Account": "...", 
    "UserId": "...", 
    "Arn": "...EKSRole/botocore-session-..."
}

But when we trigger the aws-iam-authenticator

export AWS_PROFILE=EKSRole
aws-iam-authenticator token -i my-cluster
could not get token: could not create session: SharedConfigAssumeRoleError: failed to load assume role for .../EKSRole, source profile has no shared credentials

This PR makes it possible to chain between multiple profiles and to use the credential_source

@jasdel jasdel added the needs-review This issue or pull request needs review from a core team member. label May 6, 2019
@janario
Copy link
Contributor Author

janario commented May 22, 2019

Hi, Any update here? 🙂

@jasdel
Copy link
Contributor

jasdel commented May 23, 2019

Hi @janario thanks for the ping, this feature request is in our backlog to review. We'll prioritize reviewing this Pr and get feedback to you.

@jasdel jasdel changed the title Chain in multiple source_profile and support for credential_source aws/session: Add support for chaining source_profile with credential_source May 23, 2019
@jasdel
Refactor session credentials and add tests
1221063 
Refactors the Session credentials code to be in its own file and adds
unit tests for chained assume role.

Fixes the SDK's bug not correctly assuming role with
"credentials_source" for Environment and ECS roles.

Fix aws#2528

For testing support, added the ability to specify the Handlers the SDK
should use at the Session Options. This allows the set of handlers to be
injected from the very beginning of the sessions credential chain.
@jasdel
Copy link
Contributor

jasdel commented Jun 11, 2019

I've pushed an update to this PR that refactors the Session's credential logic into its own file, and adds a unit test for chained assume role. This update also adds support for credential_source targeting EC2 and environment variable.

@jasdel jasdel mentioned this pull request Jun 11, 2019
Closed
@nauxliu
Copy link

nauxliu commented Jun 12, 2019

@jasdel It seems that the CI test has failed. Is it possible to merge this PR in the near future?

@jasdel jasdel removed the needs-review This issue or pull request needs review from a core team member. label Jun 12, 2019
@jasdel jasdel merged commit 8be2a09 into aws:master Jun 12, 2019
jasdel added a commit that referenced this pull request Jun 12, 2019
@jasdel
Add updates to pending changelog
94fee93 
Adds PR #2579 to pending change log.
@janario
Copy link
Contributor Author

janario commented Jun 13, 2019
edited
Loading

Thanks guys

I'm looking forward for the release of it
🙂

@aws-sdk-go-automation aws-sdk-go-automation mentioned this pull request Jun 13, 2019
Merged
bflad added a commit to hashicorp/terraform that referenced this pull request Jun 20, 2019
@bflad
deps: github.com/aws/aws-sdk-go@v1.20.4
d780cd0 
Relevant changes:

* backend/s3: Support for chaining assume IAM role from AWS shared configuration files
* backend/s3: Fix AWS shared configuration file credential source not assuming a role with environment and ECS credentials

References:

* https://github.com/aws/aws-sdk-go/releases/tag/v1.20.0
* aws/aws-sdk-go#2579
* aws/aws-sdk-go#2385

Updated via:

```console
$ go get github.com/aws/aws-sdk-go@v1.20.4
$ go mod tidy
$ go mod vendor
```
This was referenced Jun 20, 2019
Merged
Closed
diehlaws pushed a commit to diehlaws/aws-sdk-go that referenced this pull request Jul 2, 2019
@janario @diehlaws
aws/session: Add support for chaining assume IAM role from shared con…
84cbcb6 
…fig (aws#2579)

Adds support chaining assume role credentials from the shared config/credentials files. This change allows you to create an assume role chain of multiple levels of assumed IAM roles. The config profile the deepest in the chain must use static credentials, or `credential_source`. If the deepest profile doesn't have either of these the session will fail to load.

Fixes the SDK's shared config credential source not assuming a role with environment and ECS credentials. EC2 credentials were already supported.

Fix aws#2528
Fix aws#2385

Also adds the ability to specify the Handlers the SDK should use at the SessionWithOptions. This allows the a set of handlers to be provided at the very beginning of the session credential chain.
diehlaws pushed a commit to diehlaws/aws-sdk-go that referenced this pull request Jul 2, 2019
@jasdel @diehlaws
Add updates to pending changelog
724a561 
Adds PR aws#2579 to pending change log.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasdel jasdel jasdel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@janario @jasdel @nauxliu