Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws ec2 integration: allow users to set up integration using AssumeRole #522

Open
vjeffrey opened this issue Jun 6, 2019 · 3 comments
Open

aws ec2 integration: allow users to set up integration using AssumeRole #522

vjeffrey opened this issue Jun 6, 2019 · 3 comments
Labels
node integrations This issue or pull request applies to work related to the node integrations

Comments

@vjeffrey
Copy link

vjeffrey commented Jun 6, 2019
edited
Loading

User Story

As an Automate user, I want to be able to scan all my AWS accounts from Automate by using the AssumeRole functionality per scannable account.

From our friends at AWS:

Let's say your Automate server is running in Account 1111 and you want to scan APIs and EC2 instances in Account 2222. You set up a role that lets you access the resources of your account (e.g. giving permissions for ReadOnly access and SSM for credential-less scanning. That role also gets a Trust Relationship towards account 2222.
Now on Chef Automate in Account 1111 you assume the role from Account 2222 and execute your calls with permissions of the role you assumed on the resources in 2222.

Considerations

the first step to this will be discovery work on the backend side for what needs to be done to make this happen
as a second step, we should communicate that to ux (@jonong1972) so that he can design something for the ui to accommodate the change
then we can complete the backend work and create the ui

Definition of Done

Can add an aws-ec2 integration using the AssumeRole functionality
@vjeffrey vjeffrey added the node integrations This issue or pull request applies to work related to the node integrations label Jun 6, 2019
@vjeffrey
Copy link
Author

vjeffrey commented Jul 19, 2019
edited
Loading

I took a look at the code this evening; it looks like we may already support this. There's an (untested) code path for using a role arn to authenticate with the aws api.
I will try to find someone to help me test this functionality tomorrow.
As it stands, it seems that doing the following api call would work..

 example of adding a nodemanager
 curl -s --insecure -H "api-token: $token" $url/api/v0/nodemanagers -d '{
     "name": "my aws api integration with role arn",
     "type": "aws-api",
     "instance_credentials": [],
      "credential_data": [
 		{"key": "ARN_ROLE", "value": "value" }
 	]
   }'

@vjeffrey
Copy link
Author

vjeffrey commented Jul 19, 2019
edited
Loading

i tested this morning but got a 403 from the aws api.
I'll have to take a deeper look (the way i set up the role may have been incorrect) next week.

what i did to setup the role:
logged into one account
created iam role with trusted relationship to another account.
ensured the correct permissions (policy) was attached to that role.

error:
2019-07-19 17:22:58.642702604 +0000 UTC:GetAccountID unable to call GetCallerIdentity API: AccessDenied: Access denied\n\tstatus code: 403, request id: da74259b-aa49-11e9-82de-f3e0fce6796c

@vjeffrey vjeffrey self-assigned this Jul 21, 2019
@vjeffrey vjeffrey removed their assignment Nov 9, 2019
@vjeffrey
Copy link
Author

vjeffrey commented Jan 6, 2020

https://docs.aws.amazon.com/sdk-for-go/api/aws/credentials/stscreds/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
node integrations This issue or pull request applies to work related to the node integrations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vjeffrey