Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Save session tags when assuming a role #10283

Merged
merged 4 commits into from Feb 21, 2024
Merged

Save session tags when assuming a role #10283

merged 4 commits into from Feb 21, 2024

Conversation

dfangl
Copy link
Member

@dfangl dfangl commented Feb 20, 2024

Motivation

There is no API for retrieving session attributes once the session is created. Since we need the session tags for IAM evaluation, we need to store them.

We store them by access key id instead of session ARN, to avoid collisions with identical SessionNames (those sessions still preserve the right session tags).

Changes

  • Allow create_role fixture users to pass additional variables
  • Save session tags based on access key id.

@dfangl dfangl added the semver: patch Non-breaking changes which can be included in patch releases label Feb 20, 2024
@dfangl dfangl added this to the 3.2 milestone Feb 20, 2024
@dfangl dfangl changed the title Iam/tag based access Save session tags when assuming a role Feb 20, 2024
@coveralls
Copy link

coveralls commented Feb 20, 2024
edited

Coverage Status

coverage: 83.863% (-0.006%) from 83.869%
when pulling 73352f6 on iam/tag-based-access
into b94a2ee on master.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 20, 2024
edited

LocalStack Community integration with Pro

    2 files  ±0      2 suites  ±0   1h 23m 57s ⏱️ - 1m 19s
2 654 tests +4  2 403 ✅ +3  251 💤 +1  0 ❌ ±0 
2 656 runs  +4  2 403 ✅ +3  253 💤 +1  0 ❌ ±0 

Results for commit d77580c. ± Comparison against base commit b94a2ee.

This pull request removes 1 and adds 5 tests. Note that renamed tests count towards both. 
tests.aws.services.lambda_.test_lambda.TestLambdaURL ‑ test_lambda_url_echo_invoke

tests.aws.services.lambda_.test_lambda.TestLambdaURL ‑ test_lambda_update_function_url_config
tests.aws.services.lambda_.test_lambda.TestLambdaURL ‑ test_lambda_url_echo_invoke[BUFFERED]
tests.aws.services.lambda_.test_lambda.TestLambdaURL ‑ test_lambda_url_echo_invoke[None]
tests.aws.services.lambda_.test_lambda.TestLambdaURL ‑ test_lambda_url_echo_invoke[RESPONSE_STREAM]
tests.aws.services.lambda_.test_lambda.TestLambdaURL ‑ test_lambda_url_invalid_invoke_mode

♻️ This comment has been updated with latest results.

dominikschubert
dominikschubert reviewed Feb 21, 2024
View reviewed changes
localstack/services/sts/models.py
Comment on lines +4 to +6
class STSStore(BaseStore):
# maps access key ids to tags for the session they belong to
session_tags: dict[str, dict[str, str]] = CrossRegionAttribute(default=dict)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Creating our own store is probably a good hint that we might want to internalize STS

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, would love that level of control to it, currently a lot of the operations are mocked.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will at some point be extended anyway, as we need to include session policies as well.

localstack/services/sts/provider.py Outdated

if tags:
transformed_tags = {tag["Key"]: tag["Value"] for tag in tags}
store = sts_stores[context.account_id][context.region]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand this correctly, it means this feature is not cross-account compatible for now, since we should save in the target account/region (based on the ARN of the role).

Assume_role is probably one of the most used operations in the context of cross-account usage 🤔

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a good catch. We should indeed use the account id of the role to store it (as it is retrieved this way). Should probably hardcode region to us-east-1 as well.

dominikschubert
dominikschubert approved these changes Feb 21, 2024
View reviewed changes
Copy link
Member

@dominikschubert dominikschubert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for fixing the account id 👍

localstack/services/sts/provider.py
transformed_tags = {tag["Key"]: tag["Value"] for tag in tags}
# we should save it in the store of the role account, not the requester
account_id = extract_account_id_from_arn(role_arn)
store = sts_stores[account_id]["us-east-1"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Might be good to add comment explaining why this is statically set to us-east-1. Can be confusing, especially given the effort we're putting into being multi-region everywhere 😁

@dfangl dfangl merged commit 9ea3a4b into master Feb 21, 2024
21 of 23 checks passed
@dfangl dfangl deleted the iam/tag-based-access branch February 21, 2024 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dominikschubert dominikschubert dominikschubert approved these changes

Assignees
No one assigned
Labels
semver: patch Non-breaking changes which can be included in patch releases
Projects
None yet
Milestone
3.2
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dfangl @coveralls @dominikschubert