search

tmspzz / Rome

Carthage cache for S3, Minio, Ceph, Google Storage, Artifactory and many others
MIT License
819 stars 57 forks source link

AWS role based access is not working #210

Closed jazz-mobility closed 4 years ago

jazz-mobility commented 4 years ago

Bug Report

Our company uses AWS azure based login (SSO) and we are using AWS named profiles. CMD tool for AWS login - https://github.com/sportradar/aws-azure-login After a successful login, it creates the credentials with temporary access token and configs, in .aws folder. Whenever I am running rome upload/download I am getting this error - 

Error: could not download Alamofire : The AWS Access Key Id you provided does not exist in our records.
Error: could not download Alamofire.dSYM : The AWS Access Key Id you provided does not exist in our records.

Generated AWS Credential file sample

[myprofile]
aws_access_key_id=[someKey]
aws_secret_access_key=[someSecretKey]
aws_session_token=[temporaryToken]
aws_expiration=2020-01-15T17:19:01.000Z

Generated AWS config file sample

[profile myprofile]
azure_tenant_id=[someID]
azure_app_id_uri=[samlURL]
azure_default_username=[myCompanyEmail]
azure_default_role_arn=[RoleARN]
azure_default_duration_hours=12
azure_default_remember_me=true

Steps which explain the enhancement or reproduce the bug

  1. Create role-based access in AWS without source profile with temporary access token
  2. Try rome upload

Current behavior

Rome is not reading the temporary session token

Suggested behavior

Should work fine as AWS role-based access is common practice in companies.

Rome version: 

[0.23.1.61 - Romam uno die non fuisse conditam.]

OS and version: 

[macOS Catalina,  Version 10.15.2]
tmspzz commented 4 years ago

@jazz-mobility thanks for reporting. Session tokens are not currently supported.

You have 3 options:

  1. wait
  2. use STS
  3. implement your own engine
tmspzz commented 4 years ago

Not sure what these keys prefixed with azure are, but they don't seem to be compatible with AWS to me. Escalation via role_arn should work.

jazz-mobility commented 4 years ago

@tmspzz We are using STS with session tokens. I added role_arn and got this error. The AWS Access Key Id you provided does not exist in our records.

tmspzz commented 4 years ago

The support for STS is detailed in #175 and implemented in https://github.com/tmspzz/Rome/pull/179

here is the current implementation: https://github.com/tmspzz/Rome/blob/5ba4eec0b4785bf5c6008ea1946e000bd3c8ea37/src/Lib.hs#L89-L150

I think this is the problem: https://github.com/tmspzz/Rome/blob/10e7a05f2cf5798b0fc41e0f20232b891ee1f64e/src/Network/AWS/Utils.hs#L68-L78

The current implementation gets the token and expiration from the STS response, not from file

tmspzz commented 4 years ago

@jazz-mobility please try https://github.com/tmspzz/Rome/releases/tag/v23.2.63

jazz-mobility commented 4 years ago

Thanks for the quick fix @tmspzz, this is fixed now. 🎉

jazz-mobility commented 4 years ago

@tmspzz Waiting for the final release to roll out this amazing tool in our iOS team. :)

tmspzz commented 4 years ago

@jazz-mobility the release is out on homebrew, coming up asap on cocoapods

tmspzz commented 4 years ago

https://github.com/tmspzz/Rome/releases/tag/v0.23.2.63 is now out on both homebrew and cocoapods