Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow disabling role assumption when AWS_ROLE_ARN environment variable is set #177

Closed
JonMerlevede opened this issue Sep 8, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@JonMerlevede
Copy link

JonMerlevede commented Sep 8, 2022

Issue Description

The code for dbConnect() checks if the AWS_ROLE_ARN environment variable is set, and performs an explicit assume role operation if it is. To perform the assume role operation, it calls on Boto3. Boto3 also uses AWS_ROLE_ARN to determine which role to assume, for example when using web identity authentication. This causes RAthena to try to assume role A from role A, which is always superfluous and often denied.

Reproducible Example

Set the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables; Boto3 can now authenticate.

Assuming that AWS_ROLE_ARN has value arn:aws:iam::123456789101:role/A, call on dbConnect() and get the exception:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789101:assumed-role/A/botocore-session-xxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::189756888801:role/A

If unsetting AWS_ROLE_ARN, call on dbConnect() and get the exception:

Warning: Error in py_call_impl: botocore.exceptions.InvalidConfigError: The provided profile or the current environment is configured to assume role with web identity but has no role ARN configured.

Proposed solution

Allow a value for the aws_role parameter that does not trigger an assume role operation, even if AWS_ROLE_ARN is set.

@DyfanJones
Copy link
Owner

DyfanJones commented Sep 8, 2022

Ah sorry about that, i am currently on holiday and won't be able to do any work on this for 2 weeks. However in the meantime I am happy to receive any PRs.

@DyfanJones DyfanJones added the bug Something isn't working label Sep 8, 2022
@DyfanJones
Copy link
Owner

Hi @JonMerlevede really sorry for the super long delay in this. I have been busy working on the R AWS SDK (paws). Would a simple fix be to remove:

role_arn <- role_arn %||% get_aws_env("AWS_ROLE_ARN")
and allow boto3 do the work instead.

@DyfanJones
Copy link
Owner

DyfanJones commented Dec 9, 2022

Please try out:

remotes::install_github("dyfanjones/RAthena", ref = "arn_role")

Let me know if this fixes the issue

@DyfanJones
Copy link
Owner

RAthena v2.6.1 has been released to cran. It now lets boto3 sdk handle the role from environment variable AWS_ROLE_ARN. If this is still any issue please re-open the ticket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants