search

rundeck-plugins / rundeck-ec2-nodes-plugin

Get resource node data from Amazon EC2
85 stars 45 forks source link

manage nodes in aws consolidated accounts #37

Closed ozbillwang closed 8 years ago

ozbillwang commented 8 years ago

We use aws consolidated accounts to manage the resources. So I need the feature to get all nodes from main account and several consolidated accounts.

Rundeck server is installed at main account.

Is this function available already?

gschueler commented 8 years ago

I'm not sure how the consolidated accounts work. If you cannot see all the instances using the main account credentials, you could try configuring multiple EC2 resource source plugins, using different credentials.

ozbillwang commented 8 years ago

With IAM role assigned to rundeck server when created, I needn't provide credentials, it can show all nodes on main account. But not sure how to set assume role to let rundeck to discover ec2 nodes in other consolidation accounts.

Here is the introduce about aws consolidation account (or called cross account) https://aws.amazon.com/blogs/aws/new-cross-account-access-in-the-aws-management-console/

I think it is the way to fix this issue (add assume role policy), I am working on it and will let you know my progress.

gschueler commented 8 years ago

@SydOps i looked into the SDK apis for doing that. It seems possible to use the security token service to call assumeRole and pass an ARN to identify the role. you get back a new set of credentials (accessKey, secretKey, sessionToken).

I don't have a quick way to test this right now, but i can submit a pull request with the updated code, if you are able to build the plugin from that branch you could try it out

ozbillwang commented 8 years ago

Sure, will build it. Take notes for myself.

git clone https://github.com/rundeck-plugins/rundeck-ec2-nodes-plugin.git
cd rundeck-ec2-nodes-plugin
git checkout -b feature/assume_role
git pull origin feature/assume_role
javac -J-Xmx32m -version
./gradlew assemble
./gradlew check

I got the plugin:

-rw-r--r--  1 bill  wheel  5486053 19 Feb 21:52 rundeck-ec2-nodes-plugin-1.5.2-SNAPSHOT.jar
ozbillwang commented 8 years ago

@gschueler

Thanks for the commits, I successfully set the assume_role with the new built plugin rundeck-ec2-nodes-plugin-1.5.2-SNAPSHOT.jar

Write down the detail I did. Suppose I have two accounts, main account (ACCOUNT_A) and cross account (ACCOUNT_B)

  1. assign trust relationship on ACCOUNT_B for the role ec2_role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",
        "AWS": [
          "arn:aws:iam::ACCOUNT_A:role/ec2-rundeck",
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  1. assign the new policy on ACCOUNT_A for the role ec2_rundeck
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::ACCOUNT_B:role/ec2_role"
    }
}

3. create a new rundeck instance in `ACCOUNT_A` with role `ec2_rundeck`

4. install the latest plugin `rundeck-ec2-nodes-plugin-1.5.2-SNAPSHOT.jar` to folder libext

5. set new item `Assume Role ARN` to `arn:aws:iam::ACCOUNT_B:role/ec2_role` in ec2 plugin in Rundeck. 

Then you will see the nodes in ACCOUNT_B
gschueler commented 8 years ago

Good to hear, i will merge that change then