New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Save session tags when assuming a role #10283
Conversation
LocalStack Community integration with Pro 2 files ±0 2 suites ±0 1h 23m 57s ⏱️ - 1m 19s Results for commit d77580c. ± Comparison against base commit b94a2ee. This pull request removes 1 and adds 5 tests. Note that renamed tests count towards both.
♻️ This comment has been updated with latest results. |
class STSStore(BaseStore): | ||
# maps access key ids to tags for the session they belong to | ||
session_tags: dict[str, dict[str, str]] = CrossRegionAttribute(default=dict) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Creating our own store is probably a good hint that we might want to internalize STS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, would love that level of control to it, currently a lot of the operations are mocked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will at some point be extended anyway, as we need to include session policies as well.
localstack/services/sts/provider.py
Outdated
|
||
if tags: | ||
transformed_tags = {tag["Key"]: tag["Value"] for tag in tags} | ||
store = sts_stores[context.account_id][context.region] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand this correctly, it means this feature is not cross-account compatible for now, since we should save in the target account/region (based on the ARN of the role).
Assume_role is probably one of the most used operations in the context of cross-account usage 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is a good catch. We should indeed use the account id of the role to store it (as it is retrieved this way). Should probably hardcode region to us-east-1 as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for fixing the account id 👍
transformed_tags = {tag["Key"]: tag["Value"] for tag in tags} | ||
# we should save it in the store of the role account, not the requester | ||
account_id = extract_account_id_from_arn(role_arn) | ||
store = sts_stores[account_id]["us-east-1"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Might be good to add comment explaining why this is statically set to us-east-1
. Can be confusing, especially given the effort we're putting into being multi-region everywhere 😁
Motivation
There is no API for retrieving session attributes once the session is created. Since we need the session tags for IAM evaluation, we need to store them.
We store them by access key id instead of session ARN, to avoid collisions with identical SessionNames (those sessions still preserve the right session tags).
Changes
create_role
fixture users to pass additional variables