aws - session policy support via custodian cli #9416
Conversation
| @@ -88,6 +91,10 @@ def assumed_session(role_arn, session_name, session=None, region=None, external_ | |||
| def refresh(): | |||
|
|
|||
| parameters = {"RoleArn": role_arn, "RoleSessionName": session_name} | |||
| if session_policy is not None: | |||
There was a problem hiding this comment.
the read from file should take place ideally at a higher level, potentially at the command module wrapper, we also in future want to support auto generation of the session policy, so having this consumer being agnostic to origins would be preferred.
There was a problem hiding this comment.
Thanks for the feedback @kapilt. Understood re: read from file should take place ideally at a higher level,
so having this consumer being agnostic to origins would be preferred
Does this mean the session policy argument should be moved out of provider to config?
There was a problem hiding this comment.
Moved the flag outside of the AWS provider and also created a SessionPolicy class. Doing it inside the command module wrapper was causing a potential circular import dependency error. Any suggestions would be appreciated. Thanks
ImportError: cannot import name 'SessionPolicy' from partially initialized module 'c7n.commands' (most likely due to a circular import) (/Users/pratyushmishra/development/cloud-custodian/c7n/commands.py)
There was a problem hiding this comment.
I think you just want to pass the parameter through the same way, but instead of it being the file its the content, then you won't run into the import circular since it wouldn't be instantiating in commands.py
There was a problem hiding this comment.
Ah, I see now. We just want to pass in the contents aka the session policies as strings instead of passing a file and reading it so that we could at a later stage also be able to generate it by other means. Current implementation shouldn't care about that
Closes #9404
Took a stab at it and this is an initial draft. I can go ahead and add tests etc. However, have a few open questions from a design perspective
Tested with a bad json policy and the traceback received was
botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the AssumeRole operation: Syntax errors in policy.I also tested it with a good session policy.