Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Role Based Authentication #48

Closed
ricey99 opened this issue Oct 4, 2017 · 10 comments
Closed

Role Based Authentication #48

ricey99 opened this issue Oct 4, 2017 · 10 comments
Assignees
Labels
Milestone

Comments

@ricey99
Copy link

@ricey99 ricey99 commented Oct 4, 2017

Would it be possible to include role and cross account role access rather than just access/secret keys.

This would be very beneficial when running Graylog in AWS.

@joschi joschi added the feature label Oct 4, 2017
@radykal-com
Copy link
Contributor

@radykal-com radykal-com commented Oct 8, 2017

Hello,
Could you explain us a bit more about what do you expect? It can work with Instance profile authentication right now. How is that cross account role setup? Any example?

@ricey99
Copy link
Author

@ricey99 ricey99 commented Oct 9, 2017

Hi

I am taking my experience from the Splunk Add on for AWS....

As you have stated it looks like your plugin allows it is assume a role via the instance profile, the ability to add additional roles to the plugin from the same AWS account would allow use to setup roles in other AWS accounts with cross account access which would enable access to the account without having to manage access keys and secrets.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

http://docs.splunk.com/Documentation/AddOns/latest/AWS/ConfigureAWSpermissions

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Hope that helps.

Thanks

@radykal-com
Copy link
Contributor

@radykal-com radykal-com commented Oct 9, 2017

Ok, what I see is that a new config field is required to set the ARN of the assumed role to access the required resources, is this correct?

@ricey99
Copy link
Author

@ricey99 ricey99 commented Oct 10, 2017

Yes, that sounds correct, if this could be set at the input level it would allow for inputs from multiple accounts.

Thanks

@radykal-com
Copy link
Contributor

@radykal-com radykal-com commented Oct 10, 2017

Sure, to check the permissions to assume the role it should follow the current chain of authentication right? I mean, if the input has KEY+SECRET it should try to assume the role using them, if not, try it with the instance profile.

If this is correct, I can help with the implementation as soon some maintaineer appears by here to agree with this

@joschi What do you think?

@ricey99
Copy link
Author

@ricey99 ricey99 commented Oct 10, 2017

Yes, that is correct, Thanks !!

@joschi
Copy link
Contributor

@joschi joschi commented Oct 11, 2017

@radykal-com Sure, go for it! We'll happily review any pull request you're contributing!

@radykal-com
Copy link
Contributor

@radykal-com radykal-com commented Oct 11, 2017

#49 is ready. I have tested it in my AWS environment

@bernd
Copy link
Member

@bernd bernd commented Oct 16, 2017

#49 hast been merged and will be in the upcoming 2.4 release. Thank you @radykal-com!

@bernd bernd closed this Oct 16, 2017
@bernd bernd self-assigned this Oct 16, 2017
@bernd bernd added this to the 2.4.0 milestone Oct 16, 2017
@radykal-com
Copy link
Contributor

@radykal-com radykal-com commented Oct 16, 2017

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants