Closed GarrettBlinkhorn closed 5 months ago
I went ahead and upgraded my "digitickets/cli/aws"
to 6.0.1
just to rule out any possible differences there. I can see that the formatting of the script has changed but the fundamental issue described above still persists.
Additionally, I've discovered a new bug in the latest version when making the STS call for temporary creds:
### Get temporary credentials from AWS STS
if ! eval "aws sts assume-role \
--role-arn ${ASSUME_ROLE_ARN} \
${AWS_CLI_EXTERNAL_ID_PARAM:-} \
--role-session-name ${ROLE_SESSION_NAME:-AssumingRole} \
--output json \
--debug
${AWS_CLI_PROFILE_PARAM:-} \
${AWS_CLI_REGION_PARAM:-} \
" \
>"${AWS_STS_JSON}" \
2>"${AWS_STS_ERROR_LOG}"; then
echo '{"error":"The call to AWS to get temporary credentials failed"}' >&2
exit 4
fi
The --debug
is missing its \
which causes this command to fail and throw the error message described. Adding the \
locally resolved the issue here, though the core issue described above continues to persist.
Hi. Thanks for this (and sorry for the delay).
I've just released. v6.0.2 for the silly bug fix on the debug.
Just looking at the logic for profile with assume role. It makes perfect sense to only use the profile once within the script. Either to assume a supplied role, or to use as part of the AWS call. Using it for both is sort of daft! So, yeah, sorry about that.
Will do my usual reviews and get it sorted.
V6.1.0 has just been released. The approach I've used is to remove the profile variable once it has been successfully used to assume a role. If there was no role to assume, then the profile variable remains in place and will then be used against the AWS CLI call as before.
Hopefully this covers it.
Thanks for taking a look - I've tested v6.1.0
on my end and can confirm that it resolved the issue described above. Unsetting the profile variable is a much cleaner solution than the if-else
solution I had originally proposed in https://github.com/digitickets/terraform-aws-cli/pull/12 as well
I'm closing this issue since the latest release resolved it.
Happy to have helped.
On Wed, 31 Jan 2024, 13:36 Garrett Blinkhorn, @.***> wrote:
Closed #11 https://github.com/digitickets/terraform-aws-cli/issues/11 as completed.
— Reply to this email directly, view it on GitHub https://github.com/digitickets/terraform-aws-cli/issues/11#event-11655873497, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADEAIYSNO7BU2X7MFV46DYRJCF5AVCNFSM6AAAAABCCIFNUWVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRGY2TKOBXGM2DSNY . You are receiving this because you commented.Message ID: @.*** com>
Versions
Expected Behavior
If I supply both a
profile
and anassume_role_arn
to the module, then the module should useprofile
to retrieve a temporary set of credentials forassume_role_arn
, then execute the desiredquery
using the temporary credentials that were retrieved, not theprofile
itself.In my case, I have a
profile
configured for the account where I store my Terraform state/resources and I want to make a cross-account role assumption toassume_role_arn
so that I can use this module to read some data from the target account.In
aws_cli_runner.sh
, if the user passes theassume_role_arn
then the script uses theprofile
param alongside theassume_role_arn
to retrieve a set of temporary credentials and store them asAWS_ENV_VARS
.Problem
The
aws
command which executes theaws_cli_commands
also includes theAWS_CLI_PROFILE_PARAM
ifprofile
is provided, which it is in this case:This prevents the temporary credentials that were fetched earlier from actually being used, meaning that if both
profile
andassume_role_arn
are passed, then its not actually possible to use the credentials that were fetched to run theaws
command using theassume_role_arn
.Additional Findings
profile
that handles the role assumption itself and pass that newprofile
then the command executes properly. If I pass this newprofile
alongside the sameassume_role_arn
then the command executes properly as well, but credentials are being sourced from my local~/.aws/credentials
rather than the temporary ones that were fetched:Desired Outcome
Remediate the above so that when both a
profile
and anassume_role_arn
are passed, the script uses theprofile
to fetch the temporary credentials necessary toassume_role_arn
then uses said credentials to execute thecli_query
.In my case, I have data in
Account A
that I would like make read-only for other teams in other accounts. Those teams have unique aws profiles that they use inside of their own accounts. I want to create a ReadOnly role inAccount A
, then allow other teams to use this role to read the data inAccount A
.I would grant
AssumeRole
rights on my ReadOnly role to the unique roles that pertain to each different team's specific profiles, so that they can use this module and those profiles to assume the ReadOnly role and execute the query inAccount A
.In this way, I can control Read access to
Account A
simply by adding and removingAssumeRole ARNs
to my ReadOnly role policy. Then consuming teams can use our existing IAM role structure and this module to read the relevant data.