Closed Systho closed 5 years ago
New version of ELBAS will grab creds from the Capistrano variable aws_credentials
if specified, that should allow you to do any custom credentials logic without monkey patching :)
For what it's worth, here is how I do it with the new (v3) version :
set :aws_access_key, ENV['AWS_ACCESS_KEY_ID']
set :aws_secret_key, ENV['AWS_SECRET_ACCESS_KEY']
set :aws_region, ENV['AWS_REGION']
set :assumed_role_arn, ENV['AWS_ASSUMED_ROLE_ARN']
set :aws_credentials, -> {
aws_access_key = fetch :aws_access_key
aws_secret_key = fetch :aws_secret_key
assumed_role_arn = fetch :assumed_role_arn
sts = if aws_access_key.present?
dev_credentials = ::Aws::Credentials.new(aws_access_key, aws_secret_key)
::Aws::STS::Client.new(credentials: dev_credentials)
else
::Aws::STS::Client.new
end
role_credentials = sts.assume_role(
role_arn: assumed_role_arn,
role_session_name: "capistrano-session",
).to_h
temp_access_key_id = role_credentials[:credentials][:access_key_id]
temp_secret_access_key = role_credentials[:credentials][:secret_access_key]
temp_session_token = role_credentials[:credentials][:session_token]
::Aws::Credentials.new(temp_access_key_id, temp_secret_access_key, temp_session_token)
}
it was definitely easier than the previous version !
In our setup developer are authenticated through our company but use a role on client company to deploy on their behalf and on their account.
Therefore we ask our client to create a role for us which we can assume for the intervention we do on their account.
I've added this patch which check for a
aws_assumed_role_arn
key in capistrano config and if present start a special session.I do not know how frequent our setup is but I'm sharing the code back with you since your gem basically saved me days of work :)