-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make it possible to use assume role #15234
Conversation
cc @hakman @olemarkus I need some help here, if you read the description and check the solution. Does it make sense at all? Is there easier way to solve this? func stscreds.NewCredentials():
so if I understand this correctly it will handle the credential refresh automatically out of the box? I need to code test software tomorrow, which will use this and the "old" (aka assumerole before calling it) way |
Can you define the role ARN in a profile in the AWS config file, and specify the profile via https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html |
@rifelpet we are not using aws cli to call anything, its just go code. I will make sample code about this and test it inside kubernetes |
I will test that, does it help if I generate ~/.aws/config and export AWS_PROFILE=foobar |
it seems that its not possible, similar issue aws/aws-cli#3875 the problem is that the portal is getting the original aws role as env variables:
after that it cannot assume role again (see issue) similar request boto/boto3#2360 so it seems that this is not widely supported in aws sdks |
this does not break any current behaviour, but makes it work for this use-case. I do not see huge risk of merging this. However, if someone have better idea how to make it work - that is maybe better to discuss first. test code available here https://github.com/zetaab/credtest/blob/main/main.go explanations: |
@hakman any news to this? |
So I was wondering about whether this should be AWS_ASSUME_ROLE_ARN or AWS_ROLE_ARN, . AWS_ROLE_ARN is used by the aws cli and most SDKs, but it is only used for web identity. It also sounds like we want to avoid potential conflicts here, and anyone using IRSA (as you are) will have AWS_ROLE_ARN set, so there would be a high chance of conflicts. Code LGTM, just trying to understand the nuances here. |
@justinsb yep One option is that we rename it without AWS prefix like |
@zetaab what do you think about |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@hakman I rebased, needs lgtm again |
/lgtm |
/test pull-kops-e2e-k8s-aws-calico |
What is our current problem? We are hosting kOps management portal in AWS (which has AWS role). We are using that to provision clusters to another AWS accounts. Currently we are using management portal role and calling assumerole to another account role. However, because its called "role chaining" we can get maximum 1 hour long credentials from STS. In all cases the 1 hour long credentials are not enough (for instance kops rolling-update). My goal in this PR is that kOps could automatically refresh assumed role. So in future I could just specify
AWS_ASSUME_ROLE_ARN
to kOps cli binary, and it will automatically assume and refresh itself if needed.