CfnCluster with assume role

[regevs]

The permission structure of our organization is built so that in order to perform CfnCluster actions (e.g., create) we would need to assume an IAM role. Currently, it is structured so that from an EC2 machine, all permissions work, and therefore CfnCluster can be used.

I am trying to create a CfnCluster from my personal machine. To this end, I use:

aws sts assume-role --role-arn arn:aws:iam::123123123123:role/my.iam.role --serial-number arn:aws:iam::234234234234:mfa/my.user.name --token-code [MFA - 6 digits I got from my Google Authenticator] --role-session-name cfncluster

(numbers and usernames changed)

This prints out a json, which has 3 fields: AccessKeyId, SecretAccessKey and SessionToken. Using them (setting them as environmental variables), I am able to assume the IAM role, and use the aws cli tool, e.g.:

AWS_ACCESS_KEY_ID=xxxxxx AWS_SECRET_ACCESS_KEY=yyyyyyyyy AWS_SESSION_TOKEN=zzzzz aws s3 ls

This works (actually, this works also without the session token). However, doing the same with CfnCluster, I get:

$ AWS_ACCESS_KEY_ID=xxxxxx AWS_SECRET_ACCESS_KEY=yyyyyyyyy WS_SESSION_TOKEN=zzzzz cfncluster create cluster-test
Starting: cluster-test
Config sanity error: AWS was not able to validate the provided access credentials

Why would this happen?

Can I use CfnCluster assuming an IAM role, rather than my user account?

[jocherry]

I will try to replicate this issue.

In the mean time, you could try running the 'configure' command on cfncluster to enter these credentials:
https://cfncluster.readthedocs.io/en/latest/getting_started.html#configuring-cfncluster

[bwbarrett]

@jocherry's suggestion won't work, because you do need the session token for the access key and session key to be useful.

CfnCluster unfortunately still uses the boto library (instead of the modern boto3 library). In boto, the session key is set with AWS_SECURITY_TOKEN instead of AWS_SESSION_TOKEN. If you set AWS_SECURITY_TOKEN, you should be able to use your temporary session keys.