-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
profile
Parameter Prevents the Use of Temp. Creds from assume_role_arn
#11
Comments
I went ahead and upgraded my Additionally, I've discovered a new bug in the latest version when making the STS call for temporary creds:
The |
- FIX : Typo in `aws_cli_runner.sh` when running assuming a role. Thank you [Garrett Blinkhorn](#11).
Hi. Thanks for this (and sorry for the delay). I've just released. v6.0.2 for the silly bug fix on the debug. Just looking at the logic for profile with assume role. It makes perfect sense to only use the profile once within the script. Either to assume a supplied role, or to use as part of the AWS call. Using it for both is sort of daft! So, yeah, sorry about that. Will do my usual reviews and get it sorted. |
- FIX : If `var.profile` and `var.assume_role_arn` are used, then continuing to use `var.profile` invalidates the assumed role. The `aws_cli_runner.sh` now no longer uses `var.profile` when a role has been successfully assumed. Thank you [Garrett Blinkhorn](#11).
- Added testing for Terraform 1.7+ - FIX : If `var.profile` and `var.assume_role_arn` are used, then continuing to use `var.profile` invalidates the assumed role. The `aws_cli_runner.sh` now no longer uses `var.profile` when a role has been successfully assumed. Thank you [Garrett Blinkhorn](#11).
V6.1.0 has just been released. The approach I've used is to remove the profile variable once it has been successfully used to assume a role. If there was no role to assume, then the profile variable remains in place and will then be used against the AWS CLI call as before. Hopefully this covers it. |
Thanks for taking a look - I've tested I'm closing this issue since the latest release resolved it. |
Happy to have helped.
…On Wed, 31 Jan 2024, 13:36 Garrett Blinkhorn, ***@***.***> wrote:
Closed #11 <#11>
as completed.
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAADEAIYSNO7BU2X7MFV46DYRJCF5AVCNFSM6AAAAABCCIFNUWVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRGY2TKOBXGM2DSNY>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Versions
Expected Behavior
If I supply both a
profile
and anassume_role_arn
to the module, then the module should useprofile
to retrieve a temporary set of credentials forassume_role_arn
, then execute the desiredquery
using the temporary credentials that were retrieved, not theprofile
itself.In my case, I have a
profile
configured for the account where I store my Terraform state/resources and I want to make a cross-account role assumption toassume_role_arn
so that I can use this module to read some data from the target account.In
aws_cli_runner.sh
, if the user passes theassume_role_arn
then the script uses theprofile
param alongside theassume_role_arn
to retrieve a set of temporary credentials and store them asAWS_ENV_VARS
.Problem
The
aws
command which executes theaws_cli_commands
also includes theAWS_CLI_PROFILE_PARAM
ifprofile
is provided, which it is in this case:This prevents the temporary credentials that were fetched earlier from actually being used, meaning that if both
profile
andassume_role_arn
are passed, then its not actually possible to use the credentials that were fetched to run theaws
command using theassume_role_arn
.Additional Findings
profile
that handles the role assumption itself and pass that newprofile
then the command executes properly. If I pass this newprofile
alongside the sameassume_role_arn
then the command executes properly as well, but credentials are being sourced from my local~/.aws/credentials
rather than the temporary ones that were fetched:Desired Outcome
Remediate the above so that when both a
profile
and anassume_role_arn
are passed, the script uses theprofile
to fetch the temporary credentials necessary toassume_role_arn
then uses said credentials to execute thecli_query
.In my case, I have data in
Account A
that I would like make read-only for other teams in other accounts. Those teams have unique aws profiles that they use inside of their own accounts. I want to create a ReadOnly role inAccount A
, then allow other teams to use this role to read the data inAccount A
.I would grant
AssumeRole
rights on my ReadOnly role to the unique roles that pertain to each different team's specific profiles, so that they can use this module and those profiles to assume the ReadOnly role and execute the query inAccount A
.In this way, I can control Read access to
Account A
simply by adding and removingAssumeRole ARNs
to my ReadOnly role policy. Then consuming teams can use our existing IAM role structure and this module to read the relevant data.The text was updated successfully, but these errors were encountered: