search

terraform-linters / tflint-ruleset-aws

TFLint ruleset for terraform-provider-aws
Mozilla Public License 2.0
327 stars 71 forks source link

Add support for STS-generated credentials #25

Closed tristankenney closed 3 years ago

tristankenney commented 3 years ago

Happy New Year!

It seems that a shared credentials file containing STS-generated credentials cannot be currently used (as the SessionToken isn't passed to the S3 client).

Would it be possible to have this added?

P.S. I wasn't sure if I should submit here or against tflint-ruleset-aws. Let me know if I should move this issue :)

wata727 commented 3 years ago

Happy New Year!

I believe that TFLint supports shared credentials files. https://github.com/terraform-linters/tflint/blob/v0.22.0/docs/guides/credentials.md#shared-credentials Can you give me a link to the official AWS documentation etc. about what config is not available?

Currently, AWS rule implementation is in transition. Questions about the current released version are OK in this repository, but feature requests and bug reports should be sent to the ruleset repository :)

tristankenney commented 3 years ago

Thanks for your response!

My query is a bit more specific. Shared credentials files work when using permanent credentials issued against a user.

e.g. if we were using a profile named engineering, the shared credentials might look something like:

[engineering]
aws_access_key_id=ASXXXXXXXXXXXXX
aws_secret_access_key=GZXXXXXXXXXXXXXXXXXX

However, our setup is slightly different and uses temporary credentials supplied via STS (this is a side-effect of using SSO for our AWS accounts in a developer context).

As a consequence in our context, our shared credential file looks slightly different:

[engineering]
aws_access_key_id=ASXXXXXXXXXXXXX
aws_secret_access_key=GZXXXXXXXXXXXXXXXXXX
aws_session_token="FwXXXXXXXX"

When using STS issued credentials, aws_session_token also needs to be supplied to the AWS SDK to successfully authenticate.

Therefore to support STS within tflint, there would need to be additions config.go, client.go etc.

I'm happy to submit a PR to add token support if that's going to make your lives easier :)

Also, let me know if I should be moving this issue as it definitely feels like it's in feature request territory

wata727 commented 3 years ago

Thank you for explaining. Understood. I'm happy to review your pull requests if you submit them.

If you have similar settings in Terraform, it may be better to change implementation to get the config rather than extend the TFLint configuration syntax. https://registry.terraform.io/providers/hashicorp/aws/latest/docs#token

By the way, AWS_SESSION_TOKEN may work.

tristankenney commented 3 years ago

I've tested this with AWS_SESSION_TOKEN and it works perfectly. Given that, we'll just use env vars for auth rather than the shared credential file.

As such, we really don't need to modify the ruleset and I'll close this one off :)

Thank you for pointing me in the right direction!