Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow disabling role assumption when AWS_ROLE_ARN environment variable is set #177

Closed
JonMerlevede opened this issue Sep 8, 2022 · 4 comments
Closed

Allow disabling role assumption when AWS_ROLE_ARN environment variable is set #177

JonMerlevede opened this issue Sep 8, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@JonMerlevede
Copy link

JonMerlevede commented Sep 8, 2022
edited
Loading

Issue Description

The code for dbConnect() checks if the AWS_ROLE_ARN environment variable is set, and performs an explicit assume role operation if it is. To perform the assume role operation, it calls on Boto3. Boto3 also uses AWS_ROLE_ARN to determine which role to assume, for example when using web identity authentication. This causes RAthena to try to assume role A from role A, which is always superfluous and often denied.

Reproducible Example

Set the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables; Boto3 can now authenticate.

Assuming that AWS_ROLE_ARN has value arn:aws:iam::123456789101:role/A, call on dbConnect() and get the exception:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789101:assumed-role/A/botocore-session-xxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::189756888801:role/A

If unsetting AWS_ROLE_ARN, call on dbConnect() and get the exception:

Warning: Error in py_call_impl: botocore.exceptions.InvalidConfigError: The provided profile or the current environment is configured to assume role with web identity but has no role ARN configured.

Proposed solution

Allow a value for the aws_role parameter that does not trigger an assume role operation, even if AWS_ROLE_ARN is set.
@DyfanJones
Copy link
Owner

DyfanJones commented Sep 8, 2022
edited
Loading

Ah sorry about that, i am currently on holiday and won't be able to do any work on this for 2 weeks. However in the meantime I am happy to receive any PRs.

@DyfanJones DyfanJones added the bug Something isn't working label Sep 8, 2022
DyfanJones added a commit that referenced this issue Dec 9, 2022
@DyfanJones
remove get_aws_env from aws_role_arn (#177)
b87fc04
@DyfanJones
Copy link
Owner

Hi @JonMerlevede really sorry for the super long delay in this. I have been busy working on the R AWS SDK (paws). Would a simple fix be to remove:

RAthena/R/Driver.R

Line 246 in d8646bc

role_arn <- role_arn %||% get_aws_env("AWS_ROLE_ARN")
and allow boto3 do the work instead.

@DyfanJones DyfanJones mentioned this issue Dec 9, 2022
Merged
@DyfanJones
Copy link
Owner

DyfanJones commented Dec 9, 2022
edited
Loading

Please try out:

remotes::install_github("dyfanjones/RAthena", ref = "arn_role")

Let me know if this fixes the issue

DyfanJones added a commit to DyfanJones/noctua that referenced this issue Dec 14, 2022
@DyfanJones
remove AWS_ROLE_ARN due to issue DyfanJones/RAthena#177
3bd7e50
@DyfanJones DyfanJones mentioned this issue Dec 14, 2022
Merged
@DyfanJones
Copy link
Owner

RAthena v2.6.1 has been released to cran. It now lets boto3 sdk handle the role from environment variable AWS_ROLE_ARN. If this is still any issue please re-open the ticket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JonMerlevede @DyfanJones