Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preferred Usage Patterns -- Role Chaining #369

Open
rpattcorner opened this issue Jan 31, 2023 · 2 comments
Open

Preferred Usage Patterns -- Role Chaining #369

rpattcorner opened this issue Jan 31, 2023 · 2 comments
Labels
question waiting Waiting for answer

Comments

@rpattcorner
Copy link

aws-adfs offers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?

The main issue and use case is role chaining. There is a series of accounts that users access by:

  • Authenticating with AD (scripted) which accesses a neutral role with only privileges to assume other roles in other accounts
  • Chaining to target roles in the target accounts using the initial AD role assume credentials

This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using aws-adfs?

If not:

  • I see current code can write the temporary creds to the usual environment variables for postprocessing via --printenv. I assume that's the way to move forward in a wrapper script?
  • Is there an obvious point in code to internally extend the functionality and have aws-adfs do the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain to
  • Is there an existing mode where current code can be addressed as a python library from a custom python wrapper?
  • Other thoughts?

Then there's time limits, especially with role chaining. I see from your example that aws-adfs can be placed (manually?) in the ~/.aws/config like this:

[profile example-role-ue1]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout

but it's not clear from the AWS doc how that command is activated. Is this credential_process something that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?

If we were able to usably extend to chained roles, credential_process might solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.

Anyway, thoughts welcome! Thanks for a great capability!

@pdecat
Copy link
Collaborator

pdecat commented Feb 1, 2023

Hi @rpattcorner,

In our use case, role chaining is accomplished using native AWS CLI features, e.g.:

[profile base-adfs-profile]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout

[profile chained-profile]
role_arn = arn:aws:iam::2345678912345:role/my-role
source_profile = base-adfs-profile

Regarding credential_process, it is the responsibility of the invoked command to cache credentials if desired:

Note: The AWS CLI does not cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process.

See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

@pdecat pdecat added question waiting Waiting for answer labels Feb 1, 2023
@rpattcorner
Copy link
Author

Many thanks @pdecat . That's really helpful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question waiting Waiting for answer
Projects
None yet
Development

No branches or pull requests

2 participants