New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Role Based Authentication #48

Closed
ricey99 opened this Issue Oct 4, 2017 · 10 comments

Comments

Projects
None yet
4 participants
@ricey99

ricey99 commented Oct 4, 2017

Would it be possible to include role and cross account role access rather than just access/secret keys.

This would be very beneficial when running Graylog in AWS.

@joschi joschi added the feature label Oct 4, 2017

@radykal-com

This comment has been minimized.

Contributor

radykal-com commented Oct 8, 2017

Hello,
Could you explain us a bit more about what do you expect? It can work with Instance profile authentication right now. How is that cross account role setup? Any example?

@ricey99

This comment has been minimized.

ricey99 commented Oct 9, 2017

Hi

I am taking my experience from the Splunk Add on for AWS....

As you have stated it looks like your plugin allows it is assume a role via the instance profile, the ability to add additional roles to the plugin from the same AWS account would allow use to setup roles in other AWS accounts with cross account access which would enable access to the account without having to manage access keys and secrets.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

http://docs.splunk.com/Documentation/AddOns/latest/AWS/ConfigureAWSpermissions

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Hope that helps.

Thanks

@radykal-com

This comment has been minimized.

Contributor

radykal-com commented Oct 9, 2017

Ok, what I see is that a new config field is required to set the ARN of the assumed role to access the required resources, is this correct?

@ricey99

This comment has been minimized.

ricey99 commented Oct 10, 2017

Yes, that sounds correct, if this could be set at the input level it would allow for inputs from multiple accounts.

Thanks

@radykal-com

This comment has been minimized.

Contributor

radykal-com commented Oct 10, 2017

Sure, to check the permissions to assume the role it should follow the current chain of authentication right? I mean, if the input has KEY+SECRET it should try to assume the role using them, if not, try it with the instance profile.

If this is correct, I can help with the implementation as soon some maintaineer appears by here to agree with this

@joschi What do you think?

@ricey99

This comment has been minimized.

ricey99 commented Oct 10, 2017

Yes, that is correct, Thanks !!

@joschi

This comment has been minimized.

Contributor

joschi commented Oct 11, 2017

@radykal-com Sure, go for it! We'll happily review any pull request you're contributing!

@radykal-com

This comment has been minimized.

Contributor

radykal-com commented Oct 11, 2017

#49 is ready. I have tested it in my AWS environment

@bernd

This comment has been minimized.

Member

bernd commented Oct 16, 2017

#49 hast been merged and will be in the upcoming 2.4 release. Thank you @radykal-com!

@bernd bernd closed this Oct 16, 2017

@bernd bernd self-assigned this Oct 16, 2017

@bernd bernd added this to the 2.4.0 milestone Oct 16, 2017

@radykal-com

This comment has been minimized.

Contributor

radykal-com commented Oct 16, 2017

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment