Open scottyhq opened 3 years ago
Update: found the solution in this blog post https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
You can get temporary credentials on the hub for use on other machines:
aws sts assume-role-with-web-identity \
--role-arn $AWS_ROLE_ARN \
--role-session-name mh9test \
--web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE \
--duration-seconds 1000 > /tmp/irp-cred.txt
export AWS_REGION="us-west-2"
export AWS_ACCESS_KEY_ID="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.AccessKeyId")"
export AWS_SECRET_ACCESS_KEY="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SecretAccessKey")"
export AWS_SESSION_TOKEN="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SessionToken")"
rm /tmp/irp-cred.txt
8 tried to create an IAM account user we can use for accessing a snowex s3 bucket from anywhere (not just the jupyterhub). It failed with
AccessDenied: User: arn:aws:sts::***:assumed-role/github-actions-role/GitHubActions is not authorized to perform: iam:CreateUser on resource:
https://github.com/snowex-hackweek/jupyterhub/runs/2807361024?check_suite_focus=true . Should be an easy fix, just need to another policy document with those permissions here https://github.com/snowex-hackweek/jupyterhub/tree/main/terraform/setup/iam