Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow external_id when assume_role is used in AWS sources/sinks #17739

Closed
marcel-puchol-jt opened this issue Jun 23, 2023 · 0 comments · Fixed by #17743
Closed

Allow external_id when assume_role is used in AWS sources/sinks #17739

marcel-puchol-jt opened this issue Jun 23, 2023 · 0 comments · Fixed by #17743
Labels
provider: aws Anything `aws` service provider related type: feature A value-adding code addition that introduce new functionality.

Comments

@marcel-puchol-jt
Copy link

A note for the community

AWS recommends add the external_id when assume_role is used when 3rd party AWS resources are used (details in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).

However,

Use Cases

It's useful when a role from another AWS account needs to be assumed in order to prevent the Confused deputy problem

Attempted Solutions

Tried to use auth.credentials_file, but as I'm also using IRSA, following the documentation present in https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html.
I tried to configure the credentials file by setting the default profile as the web-identity and the profile awslogs with the role_arn and external_id. However, it didn't work because it complained about needing the region in the default one (the environment variable was set properly and also tried to add the region parameter in the credentials file, but it's not supposed to be here and failed. Also tried other alternatives, but all of them failed.

Proposal

Add external_id in auth parameters related to AWS resources.

As example, the following code should work when AWS CloudWatch logs is used as sink (details in https://vector.dev/docs/reference/configuration/sinks/aws_cloudwatch_logs/#auth):

sinks:
  cloudwatch:
    auth:
      assume_role: {assumed_role_arn}
      external_id: myexternalid

References

No response

Version

0.30.0
@marcel-puchol-jt marcel-puchol-jt added the type: feature A value-adding code addition that introduce new functionality. label Jun 23, 2023
@jszwedko jszwedko added the provider: aws Anything `aws` service provider related label Jun 23, 2023
@jszwedko jszwedko mentioned this issue Jun 23, 2023
Merged
github-merge-queue bot pushed a commit that referenced this issue Jul 21, 2023
@ankitLu @spencergilbert
feat: add support for external_id in AWS assume role (#17743)
689a79e 
aws assume role did not have support for specifying external id which is
quintessential for security concerned consumers.

P.S. [contributing
guidelines](https://github.com/vectordotdev/vector/blob/44be37843c0599abb64073fe737ce146e30b3aa5/CONTRIBUTING.md)
is empty, help me if I'm missing anything.

Closes: #17739

---------

Co-authored-by: Spencer Gilbert <spencer.gilbert@datadoghq.com>
@transacid transacid mentioned this issue Aug 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
provider: aws Anything `aws` service provider related type: feature A value-adding code addition that introduce new functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add support for external_id in AWS assume role ankitLu/vector
2 participants
@jszwedko @marcel-puchol-jt