Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix:v3.1.1 #108

Merged
merged 28 commits into from
May 4, 2022
Merged

fix:v3.1.1 #108

merged 28 commits into from
May 4, 2022

Conversation

brivu
Copy link
Contributor

@brivu brivu commented May 2, 2022
edited

brivu added 20 commits May 2, 2022 11:12
@brivu
test: added role-arn as env var to test interpolation
35eb566
@brivu
fix: expanding role-arn parameter
ef3ebcc
@brivu
fix: eval parameter
e2b169b
@brivu
fix: fixed typos
59f8101
@brivu
test: testing validation for web identity assumption
2e4b37f
@brivu
test: testing validation for web identity assumption
19583c5
@brivu
test: testing validation for web identity assumption
843dfd7
@brivu
test: testing validation for web identity assumption
35d5b8e
@brivu
test: testing validation for web identity assumption
5e7fbac
@brivu
test: testing validation for web identity assumption
0ee314f
@brivu
test: force failing to test validation
c27abad
@brivu
fix: expanded role-arn with eval to test interpolation
4144cf9
@brivu
fix: fixed typos
6b56f8e
@brivu
test: testing validation for web identity assumption
b125c94
@brivu
chore: clean up code for PR
d2de41c
@brivu
fix: expanded role-arn parameter in assume-role-with-web-identity com…
8c41af4 
…mand
@brivu
fix: expanded role-arn with eval to test interpolation
4e4d107
@brivu
fix: fixed typos
a6050f3
@brivu
test: testing validation for web identity assumption
71d9f2d
@brivu
# This is a combination of 5 commits.
b78f592 
# This is the 1st commit message:

chore: clean up code for PR

# The commit message #2 will be skipped:

# test: added role-arn as env var to test interpolation

# The commit message #3 will be skipped:

# fix: expanding role-arn parameter

# The commit message #4 will be skipped:

# fix: eval parameter

# The commit message #5 will be skipped:

# fix: fixed typos
@brivu brivu marked this pull request as ready for review May 3, 2022 04:36
@brivu brivu requested a review from a team as a code owner May 3, 2022 04:36
This was linked to issues May 3, 2022
Missing escape for role-session-name for OIDC & temporary credentials expiration #104
Closed
role-arn not interpolating value from project environment variable #105
Closed
Improved error handling forAssume Role with Web Identity command #106
Closed
@brivu brivu removed a link to an issue May 3, 2022
Improved error handling forAssume Role with Web Identity command #106
Closed
@brivu brivu changed the title V3.1.1 fix:v3.1.1 May 3, 2022
@adamdmharvey
Copy link

Note: this PR does not remove the unused executor, suggested via my closed PR #107. You may have decided it should stay, and that's fine; just fyi. :)

adamdmharvey
adamdmharvey reviewed May 3, 2022
View reviewed changes
src/scripts/assume-role-with-web-identity.sh Outdated
fi

# shellcheck disable=SC2034
AWS_STS_COMMAND=$(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks to me like it'll attempt to assume role twice, both here on line 9 and again on line 21? i'll admit to not being familiar with the pipe status exiting you're doing. curious on how this works :)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took the dev published version of this orb via this PR and tested on our side. While it works, I confirm our CloudTrail logs show duplicate assume roles with web identities with this code?

Screen shot shows me testing the pipeline twice, but you can see four (2x2) logs recorded of attempted assume roles with web identities:

image

This of course is not ideal as it means double audit logs; every user will look like they're logging in twice with OpenID. So this needs to somehow be refactored into a single call I believe?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(and btw i did note in my issue report that the root here, the failing when there is a failed Assume Role for Web Identity, now correctly fails; so we just want this to not double authenticate)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adamdmharvey, thanks for letting me know, I really appreciate it! Having double logs is definitely not ideal. Let me investigate some more and see what we can do.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adamdmharvey - I don't know why I had to make is so hard 😂 I've added validation that checks to see if the keys and session token were actually generated. If the aws sts assume-role-with-web-identity command fails, the keys and token will be null. I tested it by forcing it to fail and it gave me the correct error from AWS and the job did fail.

image

As for the executor, we decided to leave it in case there are others using it.

@brivu brivu merged commit da3cf00 into master May 4, 2022
@brivu brivu deleted the v3.1.1 branch May 4, 2022 07:27
@zbroniszewski zbroniszewski mentioned this pull request May 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adamdmharvey adamdmharvey adamdmharvey left review comments

@KyleTryon KyleTryon KyleTryon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@brivu @adamdmharvey @KyleTryon