search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
1.14k stars 103 forks source link

Add support / documentation for Codespaces #401

Open robbycuenot opened 1 year ago

robbycuenot commented 1 year ago

I've been using granted within Windows Sandbox as a way to spin up a fresh AWS dev environment with access to all SSO roles. Recently, Github Codespaces has caught my attention as a far more robust solution (which also happens to run linux natively). Using Granted within this would be a fantastic way to get new devs up to speed.

So far, I have gotten it working with the following steps, running VSCode locally on Windows 10 connected to a remote codespace. The only piece that is not yet working, is the integration with the firefox granted-containers extension.

Repro Steps:

  1. Create a Codespace Secret: AWS_SSO_URL
    • https://yourorgid.awsapps.com/start
  2. Create another Codespace Secret: AWS_REGION
    • us-east-1 - the region in which your SSO instance is located
  3. Create the following file structure at the root of your repository: 
    ./
.devcontainer/
    Dockerfile
    devcontainer.json
    postattach.sh
  4. Dockerfile: 
    
FROM mcr.microsoft.com/devcontainers/universal:2

RUN \

Install Granted CLI \

curl -OL releases.commonfate.io/granted/v0.9.1/granted_0.9.1_linux_x86_64.tar.gz \
&& sudo tar -zxvf ./granted_0.9.1_linux_x86_64.tar.gz -C /usr/local/bin/ \

# Enable granted assume command
&& echo 'alias assume="source assume"' >> /home/codespace/.bashrc \
&& echo 'alias assume="source assume"' >> /home/codespace/.profile \

# Enable AWS CLI autocompletion in Bash
&& echo "complete -C aws_completer aws" >> /home/codespace/.bashrc \
&& echo "complete -C aws_completer aws" >> /home/codespace/.profile \

# Change ownership to the codespace user
&& chown codespace:codespace /home/codespace/.bashrc /home/codespace/.profile
6. devcontainer.json

{ "dockerFile": "Dockerfile", "features": { "ghcr.io/devcontainers/features/aws-cli:latest": {} }, "postAttachCommand": "./.devcontainer/postattach.sh", "customizations": { // Configure properties specific to VS Code. "vscode": { // Add the IDs of extensions you want installed when the container is created. "extensions": [ "GitHub.codespaces", "ms-vscode-remote.remote-containers" ] } } }

7. postattach.sh

!/bin/bash

Clear out any existing AWS config

rm -rf ~/.aws rm -rf ~/.granted

Create profile for AWS SSO (ct for Control Tower)

mkdir -p ~/.aws echo "[profile ct]" >> ~/.aws/config echo "sso_start_url = $AWS_SSO_URL" >> ~/.aws/config echo "sso_region = $AWS_REGION" >> ~/.aws/config

Create granted config

mkdir -p ~/.granted echo 'DefaultBrowser = "CHROME"' >> ~/.granted/config echo CustomBrowserPath = \"$BROWSER\" >> ~/.granted/config echo CustomSSOBrowserPath = \"\" >> ~/.granted/config echo Ordering = \"\" >> ~/.granted/config echo ExportCredentialSuffix = \"\" >> ~/.granted/config

Log in to AWS SSO

aws sso login --profile ct

Populate all AWS SSO accounts/roles

granted sso populate --sso-region $AWS_REGION $AWS_SSO_URL


With this code in place, you can launch a Codespace from the repository. Upon attachment by vscode, the following actions are taken:
1. An AWS Profile for SSO is created from the secrets
2. AWS CLI opens a browser window on the local machine for auth
3. User authenticates in-browser, returns to vscode
4. A granted config is established, replacing the browser executable with the $BROWSER env variable that Codespaces injects. This variable routes web requests that would normally open in browser to a special shell script, which routes the request to the local machine. This typically looks something like this:

/vscode/bin/linux-x64/ee2b180d582a7f601fa6ecfdad8d9fd269ab1884/bin/helpers/browser.sh


5. Granted populates all accounts based on the secrets provided

This workflow goes from zero -> fully authenticated AWS SSO environment in a few seconds flat, with no manual copying and pasting. Need to reset? Nuke the codespace and start over.

The only piece missing, as I mentioned at the top, is support for firefox containers. Unfortunately, the browser.sh shell script and vscode only know how to handle http/https/mailto protocol headers. Anything else prompts windows to search for an app on the Microsoft Store to open files of the 'vscode-remote' type. Even adding custom protocol handlers to the Windows Registry does not work, as the header gets mutated by vscode before it reaches Windows. This is not a dealbreaker, just something that can hopefully be fixed :)
robbycuenot commented 1 year ago

Created a repo with the codespaces demo here: https://github.com/robbycuenot/codespaces-aws-granted

robbycuenot commented 1 year ago

Wrote a blog post about codespaces, with a demo of granted: https://cuenot.io/articles/github-codespaces/

robbycuenot commented 1 year ago

Bump; any thoughts on this?

evbo commented 6 months ago

I would recommend documentation that clearly shows how to setup a simple devcontainer with granted working. There's little pieces of information floating around the internet, for instance: https://medium.com/@josh.armitage/using-granted-in-a-dev-container-e355a3045c70

And then this github issue looks promising. But before running with codespaces, can we first walk with a local devcontainer?

evbo commented 6 months ago

related: https://github.com/common-fate/granted/issues/401 https://github.com/common-fate/granted/issues/493

robbycuenot commented 6 months ago

I've demonstrated this working in a Codespace / Devcontainer environment here: https://github.com/robbycuenot/codespaces-aws-granted

I've been using this reliably for the last year or so