This module will provision AWS Lambda function and AWS API Gateway to retrieve temporary STS credential from assumed-role ARN
It will be useful when we need to enable AWS resource access to services / entities running outside of AWS.
- IAM Roles with required IAM policies.
- Configure Trusted Relationship in assumed IAM Roles after lambda function provisioned
Aside of default prerequisites, here are some additional resource to be provisioned prior this module usage:
- Route53 Zone for domain name
- Access to
us-east-1aws region
- Terraform version
0.11.x. - awsudo to assume role in AWS
- Visual Studio Code is the best editor for the Terraform Extension. After install activate auto format by go to
File→Preferences→Settings. ChooseText Editor→Formattingand checkFormat on Save - pre-commit-terraform
- Install dependencies
- Execute
pre-commit install - Go to
examplesand go to each scenario - Follow instruction in
README.md
Request:
curl -X POST \
https://<INVOKE URL of API Gateway> \
-H 'Content-Type: application/json' \
-d '{
"assumed_role_arn" : "arn:aws:iam::XXXXXXXXXXXX:role/crossaccount/XXXXXXXXXXXX/XXXXXXXXXXXX-XXXXXXXXXXXX",
"token_duration" : 1800,
"external_id" : "XXXXXXXXXXXX",
"expiry_window" : 10
}'
Response:
{
"Version": 1,
"AccessKeyId": "XXXXXXXXXXXX",
"SecretAccessKey": "XXXXXXXXXXXX",
"SessionToken": "XXXXXXXXXXXX",
"Expiration": "2019-12-08T16:18:03Z"
}assumed_role_arn is mandatory field. And should be filled with ARN of IAM role that you want to get credentials from.
If omitted, token_duration and expiry_window will have 3600 and 0 as default value.
external_id is optional when you configured it in IAM role trust_relationship.
See:
Session Duration Limit for Role chaining
Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour.
When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter.
You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role.
However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.
Check contribution guide in CONTRIBUTING.md
For question, issue, and pull request you can contact these people:
- Frans Caisar Ramadhan (Author)
See the LICENSE
This repository was made possible by getting inspirations from below parties:
- Readme Template
- Friendly Readme
- Opensource Guide
- Github Repository Template
- Inspiration from other open source projects