Add ability to set session policies for assumed roles

[iainelder]

The default OrganizationAccountAccessRole has the AdministratorAccess policy.

For collecting inventory, I need at most a read-only policy such as ReadOnlyAccess or SecurityAudit.

Botocove supports assuming other roles, but it doesn't help if we don't already have a role that attaches the read-only policies.

This could also be solved on botocove's side by adding options to set the Policy and PolicyArns parameters of assume_role.

botocove/botocove/cove_decorator.py

Lines 57 to 59 in 77b015b

	creds = sts_client.assume_role(
	RoleArn=role_arn, RoleSessionName=role_session_name
	)["Credentials"]

I see that the RoleSessionName parameter gained support in a similar way.

• Allow custom RoleSessionName #9 (issue)
• Add ability to set RoleSessionName for assumed roles #10 (pull request)

I think I would be able to contribute a PR for this functionality. My main doubt is about the test coverage. Can you give some guidance here?

[connelldave]

Sounds reasonable -we can't write any hugely meaningful tests since it's mainly just the API behaviour that changes. A test that uses new implemented arguments is mainly useful to catch regression or developer error so shouldn't be too tricky. Happy to review if you want to have a go.

Semi-related - I refactored the codebase without disrupting the user facing API on this branch. It drops some of the cruft like async.io loops and async funcs that don't really add much, and should hopefully allow progress bars. Feel free to check out https://github.com/connelldave/botocove/tree/progress_bar if you'd like to test. It'll be easy to port contributions to that change too if needs be.

[iainelder]

Happy to review if you want to have a go.

Okay, thanks! I hope I can find time this week to implement it.

I refactored ... should hopefully allow progress bars.

Glad to hear it :-) I'll copy the comment to #11.

[iainelder]

I started to study the code and the other PR a couple of weeks ago, but didn't have time to commit any changes.

It's still a priority for me! I hope to find enough free time soon.

[iainelder]

I submitted a pull request to solve this for the Policy parameter.

Let me know what you think.

When you're happy with it I can extend it to support the PolicyArns parameter too.

[connelldave]

Thanks for this Iain - now in 1.4.1 - it'd be great to hear more about your use case for it!

[iainelder]

@connelldave I'll update my aws-org-inventory tool soon to use a generic read-only session policy.

In more specialized code I would use a session policy that allows only the AWS API actions required by the function executed by botocove.

Say I need to retrieve the template for every instance of a named stack. I'd pass a function to botocove that calls boto3 method CloudFormation.Client.get_template. I'd also pass a session policy that allows just the cloudformation:GetTemplate IAM action.