Fwd: AWS Cross Account Roles
Paul Eipper
lkraider at gmail.com
Fri Mar 4 18:07:26 UTC 2016
Mark,
I think it would work well, from a user perspective, to have all this
config be in the enviroments.yaml file with the same setup as the aws
cli config. Something like this:
```
environments:
amazon-cross-account:
type: ec2
region: sa-east-1
access-key: AWSKEY
secret-key: #TheSecretKey
# cross account access
role-arn: arn:aws:iam::123456:role/ExternalDeployRole
external-id: #ExternalCrossAccountKey
```
On the Juju core machinery, it would have to implement the request and
renewal of access tokens.
## References
AWS AssumeRole docs:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
Example Python code (using their SDK):
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html
https://boto3.readthedocs.org/en/latest/reference/services/sts.html#client
AWS Go SDK AssumeRoleProvider source:
https://github.com/aws/aws-sdk-go/blob/0c3b505eddd9781c460b0ca059522a0725f102fc/aws/credentials/stscreds/assume_role_provider.go
## Issue Tracking:
https://bugs.launchpad.net/juju-core/+bug/1316602
https://github.com/go-amz/amz/issues/62
att,
--
Paul Eipper
On Fri, Mar 4, 2016 at 12:23 PM, Mark Shuttleworth <mark at ubuntu.com> wrote:
>
> Paul, it would be interesting to see a proposal on how you'd like it to
> work.
>
> Mark
>
> On 03/03/16 21:36, John Meinel wrote:
>> At the moment I don't believe we do. We just use your access key and secret
>> key to identify you to EC2 when we make requests. We don't support using
>> temporary credentials via Assume role
>> For those of us wanting to know more here is AWS page
>> http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
>>
>> The big internal technical limitation is that AssumeRole based access needs
>> to be refreshed periodically (the temporary keys are good for at most 1
>> hour).
>
More information about the Juju
mailing list