Open bkmartinjr opened 2 years ago
Hi @kislyuk - any update on thinking about solutions? I have multiple users who operate in the same account, and who all want to use aegea. The use case is largely running "personal" instances for manual data analysis, etc.
For example, could we have an option to generate a role name that is based upon a per-user unique name or user-specified key in their config?
Hi @bkmartinjr - thanks for reaching out. I'm very swamped right now and would like to take some more time to think about the optimal way to do this. The solution may involve storing configuration information somewhere in the AWS account (like AWS Parameter Store), or (as you suggest) something like aegea launch --personal-iam-role
to name the IAM role after the name of the person launching it.
Complicating things is the fact that there is no concept of "user name" when using SSO/AssumeRole/identity federation in AWS (which all enterprises do nowadays) - there is no standard session name, so an assume role session may look like:
arn:aws:sts::123456789012:assumed-role/role-name/andrey.kislyuk@color.com
arn:aws:sts::123456789012:assumed-role/role-name/bruce/session-id
arn:aws:sts::123456789012:assumed-role/role-name/session-id
- where the session id is not stable and won't provide enough information to do anything (so I have to make an educated guess at the username and hope that it's correct, or risk proliferating invalid/unused IAM role names).While I come up with a solution, I recommend putting the following configuration on each user's workstation:
~/.config/aegea/config.yml
:
# This is the user configuration file for aegea (https://github.com/kislyuk/aegea).
# For details of aegea configuration management, see https://github.com/kislyuk/aegea#configuration-management
# For a listing of available configuration parameters that can be set here, run `aegea configure`
# or see https://github.com/kislyuk/aegea/blob/develop/aegea/base_config.yml
launch:
iam_role: bruce-rnd
manage_iam: true
iam_policies:
$extend:
- AmazonS3FullAccess
- AmazonSQSFullAccess
replacing "bruce" with the username and "rnd" with the application.
the
launch
sub-command will set up IAM roles for newly launched instances according to the configuration specified by the user. If multiple users utilize the default (aegea.launch) role, they will clobber each other's configuration.Example, in a single AWS account:
aegea.launch
role is reset to the default (missing user 1's customization)Ideally two user's would not share the namespace when using the default role.