aegea launch will overwrite role definition

[bkmartinjr]

the launch sub-command will set up IAM roles for newly launched instances according to the configuration specified by the user. If multiple users utilize the default (aegea.launch) role, they will clobber each other's configuration.

Example, in a single AWS account:

• user 1 launches an instance using custom config, eg, adding a policy to the launch role in their .../aegea/config.yml file
• user 2 launches an instance, with the default config At this point, aegea.launch role is reset to the default (missing user 1's customization)

Ideally two user's would not share the namespace when using the default role.

[bkmartinjr]

Hi @kislyuk - any update on thinking about solutions? I have multiple users who operate in the same account, and who all want to use aegea. The use case is largely running "personal" instances for manual data analysis, etc.

For example, could we have an option to generate a role name that is based upon a per-user unique name or user-specified key in their config?

[kislyuk]

Hi @bkmartinjr - thanks for reaching out. I'm very swamped right now and would like to take some more time to think about the optimal way to do this. The solution may involve storing configuration information somewhere in the AWS account (like AWS Parameter Store), or (as you suggest) something like aegea launch --personal-iam-role to name the IAM role after the name of the person launching it.

Complicating things is the fact that there is no concept of "user name" when using SSO/AssumeRole/identity federation in AWS (which all enterprises do nowadays) - there is no standard session name, so an assume role session may look like:

• arn:aws:sts::123456789012:assumed-role/role-name/andrey.kislyuk@color.com
• arn:aws:sts::123456789012:assumed-role/role-name/bruce/session-id
• or even arn:aws:sts::123456789012:assumed-role/role-name/session-id - where the session id is not stable and won't provide enough information to do anything (so I have to make an educated guess at the username and hope that it's correct, or risk proliferating invalid/unused IAM role names).

While I come up with a solution, I recommend putting the following configuration on each user's workstation:

• ~/.config/aegea/config.yml:

  # This is the user configuration file for aegea (https://github.com/kislyuk/aegea).
  # For details of aegea configuration management, see https://github.com/kislyuk/aegea#configuration-management
  # For a listing of available configuration parameters that can be set here, run `aegea configure`
  # or see https://github.com/kislyuk/aegea/blob/develop/aegea/base_config.yml
  launch:
  iam_role: bruce-rnd
  manage_iam: true
  iam_policies:
  $extend:
    - AmazonS3FullAccess
    - AmazonSQSFullAccess

  replacing "bruce" with the username and "rnd" with the application.