Closed ozbillwang closed 8 years ago
I'm not sure how the consolidated accounts work. If you cannot see all the instances using the main account credentials, you could try configuring multiple EC2 resource source plugins, using different credentials.
With IAM role assigned to rundeck server when created, I needn't provide credentials, it can show all nodes on main account. But not sure how to set assume role
to let rundeck to discover ec2 nodes in other consolidation accounts.
Here is the introduce about aws consolidation account (or called cross account) https://aws.amazon.com/blogs/aws/new-cross-account-access-in-the-aws-management-console/
I think it is the way to fix this issue (add assume role policy), I am working on it and will let you know my progress.
@SydOps i looked into the SDK apis for doing that. It seems possible to use the security token service to call assumeRole
and pass an ARN to identify the role. you get back a new set of credentials (accessKey, secretKey, sessionToken).
I don't have a quick way to test this right now, but i can submit a pull request with the updated code, if you are able to build the plugin from that branch you could try it out
Sure, will build it. Take notes for myself.
git clone https://github.com/rundeck-plugins/rundeck-ec2-nodes-plugin.git
cd rundeck-ec2-nodes-plugin
git checkout -b feature/assume_role
git pull origin feature/assume_role
javac -J-Xmx32m -version
./gradlew assemble
./gradlew check
I got the plugin:
-rw-r--r-- 1 bill wheel 5486053 19 Feb 21:52 rundeck-ec2-nodes-plugin-1.5.2-SNAPSHOT.jar
@gschueler
Thanks for the commits, I successfully set the assume_role with the new built plugin rundeck-ec2-nodes-plugin-1.5.2-SNAPSHOT.jar
Write down the detail I did. Suppose I have two accounts, main account (ACCOUNT_A) and cross account (ACCOUNT_B)
ec2_role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": [
"arn:aws:iam::ACCOUNT_A:role/ec2-rundeck",
]
},
"Action": "sts:AssumeRole"
}
]
}
ec2_rundeck
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B:role/ec2_role"
}
}
3. create a new rundeck instance in `ACCOUNT_A` with role `ec2_rundeck`
4. install the latest plugin `rundeck-ec2-nodes-plugin-1.5.2-SNAPSHOT.jar` to folder libext
5. set new item `Assume Role ARN` to `arn:aws:iam::ACCOUNT_B:role/ec2_role` in ec2 plugin in Rundeck.
Then you will see the nodes in ACCOUNT_B
Good to hear, i will merge that change then
We use aws consolidated accounts to manage the resources. So I need the feature to get all nodes from main account and several consolidated accounts.
Rundeck server is installed at main account.
Is this function available already?