Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assumed role #29

Closed
Systho opened this issue Oct 15, 2018 · 2 comments
Closed

Assumed role #29

Systho opened this issue Oct 15, 2018 · 2 comments

Comments

@Systho
Copy link

Systho commented Oct 15, 2018

In our setup developer are authenticated through our company but use a role on client company to deploy on their behalf and on their account.

Therefore we ask our client to create a role for us which we can assume for the intervention we do on their account.

I've added this patch which check for a aws_assumed_role_arn key in capistrano config and if present start a special session.

I do not know how frequent our setup is but I'm sharing the code back with you since your gem basically saved me days of work :)

require 'aws/sts'
require 'elbas/aws/credentials'


Elbas::AWS::Credentials.module_eval do


  def overidden_credentials
    @_credentials ||= begin
      _credentials = {
        access_key_id: fetch(:aws_access_key_id, ENV['AWS_ACCESS_KEY_ID']),
        secret_access_key: fetch(:aws_secret_access_key, ENV['AWS_SECRET_ACCESS_KEY'])
      }

      _credentials.merge! region: fetch(:aws_region) if fetch(:aws_region)
      _credentials
    end
  end

  def credentials
    return @patched_credentials if defined?(@patched_credentials)

    credential_hash = overidden_credentials
    assumed_role_arn = fetch(:aws_assumed_role_arn)


    if assumed_role_arn
      sts = ::AWS::STS.new(credential_hash)
      role_credentials = sts.assume_role(
        role_arn: assumed_role_arn,
        role_session_name: "capistrano-session",
      )
      @patched_credentials = role_credentials[:credentials].merge(region: credential_hash[:region])

    else
      @patched_credentials = credential_hash
    end

    @patched_credentials
  end

end
@lserman
Copy link
Owner

lserman commented Feb 27, 2019
edited
Loading

New version of ELBAS will grab creds from the Capistrano variable aws_credentials if specified, that should allow you to do any custom credentials logic without monkey patching :)

@lserman lserman closed this as completed Feb 27, 2019
@Systho
Copy link
Author

Systho commented Dec 17, 2019

For what it's worth, here is how I do it with the new (v3) version :

set :aws_access_key, ENV['AWS_ACCESS_KEY_ID']
set :aws_secret_key, ENV['AWS_SECRET_ACCESS_KEY']
set :aws_region, ENV['AWS_REGION']
set :assumed_role_arn, ENV['AWS_ASSUMED_ROLE_ARN']

set :aws_credentials, -> {
  aws_access_key = fetch :aws_access_key
  aws_secret_key = fetch :aws_secret_key
  assumed_role_arn = fetch :assumed_role_arn

  sts = if aws_access_key.present?
          dev_credentials = ::Aws::Credentials.new(aws_access_key, aws_secret_key)
          ::Aws::STS::Client.new(credentials: dev_credentials)
        else
          ::Aws::STS::Client.new
        end

  role_credentials = sts.assume_role(
    role_arn: assumed_role_arn,
    role_session_name: "capistrano-session",
  ).to_h

  temp_access_key_id = role_credentials[:credentials][:access_key_id]
  temp_secret_access_key = role_credentials[:credentials][:secret_access_key]
  temp_session_token = role_credentials[:credentials][:session_token]

  ::Aws::Credentials.new(temp_access_key_id, temp_secret_access_key, temp_session_token)
}

it was definitely easier than the previous version !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Systho @lserman