3rd party IAM Role ???

[ThinkBriK]

Could you explain why you would need 3rd party IAM role to have Bastillion read the list of instances ?? Actually, it allows your AWS account to access too much informations within our infrastructure in my opinion.

[skavanagh]

Originally I had the users set their access keys themselves, but in order to have it in the AWS marketplace, Amazon had me make the change to use the 3rd party IAM role.

Using the 3rd party IAM role, temporary credentials are issued to your running bastillion instance.

https://github.com/bastillion-io/Bastillion-EC2/blob/master/src/main/java/io/bastillion/manage/util/AWSClientConfig.java#L141-L154

I would have to know what those temporary credentials were to actually access your information.

Here is a blog on the setup...

https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saas-subscription-across-multiple-aws-accounts/

On Fri, Sep 6, 2019 at 6:10 AM Benoit BARTHELEMY notifications@github.com wrote:

Could you explain why you would need 3rd party IAM role to have Bastillion read the list of instances ?? Actually, it allows your AWS account to access too much informations within our infrastructure in my opinion.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bastillion-io/Bastillion-EC2/issues/70?email_source=notifications&email_token=AAYLPGYWVAKXU6BVGED3J6TQIIUBTA5CNFSM4IUHLBY2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HJYRY7Q, or mute the thread https://github.com/notifications/unsubscribe-auth/AAYLPG5SCPVL77TVQZRSJY3QIIUBTANCNFSM4IUHLBYQ .

[ThinkBriK]

OK, thank you for this precision, I guess you should add it to the docs because some deployments require extended security and this par is not really clear. In the same idea, could you provide another policy than EC2Readonly ? It's really large and I'd prefer having a list of the required individual privileges needed. I could event write the policy for you if you need !

[ThinkBriK]

Regarding https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saas-subscription-across-multiple-aws-accounts/ , it is referring to your accounts: It's about SaaS provider (which you're not so far) using a distinct account for the marketplace and the account running the SaaS infrastructure (not client's) and using priveleges from the Marketplace account in the Infrastructure account.

Actually, by following your current setup you could read our whole infrastructure from your account (providing you know our account id) which is not required. I'm 99% sure there was a misunderstanding with AWS marketplace as you're not hosting any SaaS service (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html).

You should try to clarify this point on my opinion !