Skip to content

Implement Refreshable Chained AWS Session for Multi-Account Role Assumption#59

Merged
rdeshmukh15 merged 5 commits into
masterfrom
TDL-26582-proxy-aws-changes
Jan 7, 2025
Merged

Implement Refreshable Chained AWS Session for Multi-Account Role Assumption#59
rdeshmukh15 merged 5 commits into
masterfrom
TDL-26582-proxy-aws-changes

Conversation

@sgandhi1311
Copy link
Copy Markdown
Member

@sgandhi1311 sgandhi1311 commented Oct 30, 2024
edited by rdeshmukh15
Loading

Overview

This PR introduces functionality to establish a chained AWS session for multi-account role assumption, allowing the system to:

  1. Assume a role in a proxy account and use the resulting credentials.
  2. Use the proxy session to assume a secondary role in a customer account.
  3. Automatically refresh both sessions upon expiration using RefreshableCredentials to maintain seamless, uninterrupted access.

Context

Due to the requirement to perform operations in a customer account by first assuming a role in an intermediate (proxy) account, this chained session approach enables:

  • Session Reuse: Enables reusing a single session across AWS services.
  • Automatic Refreshing: Ensures that both sessions are refreshed as needed, avoiding disruptions during operations.

Implementation Details

  1. Primary Role Assumption (Proxy Account):

    • Utilizes AssumeRoleCredentialFetcher to assume a role in Proxy.
    • RefreshableCredentials is used to enable automatic refreshing on expiration.
    • This session is cached to avoid redundant calls and improve performance.

  2. Chained Role Assumption (Customer Account):

    • Leverages the proxy account session to assume a role in Customer.
    • A second AssumeRoleCredentialFetcher is set up with RefreshableCredentials to automatically refresh upon expiry.

  3. Default Session Setup for boto3:

    • Configures boto3 to use this chained session, so all AWS API calls automatically utilize the assumed roles without additional configuration.
    • Logs the current session expiration timestamp to verify that refreshing occurs as expected.

Example Usage

The setup function initializes the chained session, and subsequent boto3 clients can be created without additional steps. Here’s a usage example:

config = {
    'proxy_account_id': '123456789012',
    'proxy_role_name': 'ProxyRole',
    'account_id': '987654321098',
    'role_name': 'CustomerRole',
    'external_id': 'CustomerExternalID',
    'region': 'us-east-1'
}

setup_aws_client(config)
dynamodb_client = boto3.client('dynamodb')
# Use dynamodb_client for dynamodb operations, with credentials refreshing automatically

@sgandhi1311 sgandhi1311 changed the title setup token chain using the AWS proxy account Implement Refreshable Chained AWS Session for Multi-Account Role Assumption Oct 30, 2024
@rdeshmukh15 rdeshmukh15 marked this pull request as ready for review November 29, 2024 09:07
@rdeshmukh15 rdeshmukh15 merged commit 3493a27 into master Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cosimon cosimon cosimon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sgandhi1311 @cosimon @rdeshmukh15