feat: option to assume role to get credentials #6
Conversation
When fetching credentials after obtaining the boto3 session, we check if the configuration has an optional `assume_role` field, which indicates that role needs to be assumed to obtain the credentials. If found, the role is assumed and used to obtain the credentails. If not the original boto3 session is used to obtain the credentials.
|
Thanks for making this contribution! I agree that having the option to assume a role would be a good addition to the accepted configuration keys: using temporary credentials is a much better option than static access/secret keys. |
jmkeyes
left a comment
jmkeyes
left a comment
There was a problem hiding this comment.
/lgtm
The whitespace changes in the diff of the test code made things a bit harder to read, but I can run black later if needed.
|
Not strictly relevant to the PR, but the AWS SDK can also assume a role if configured to do so. While it is nice to explicitly configure it ourselves here, it begs the question of how much responsibility this library should take in replicating that logic. This also ties into #8: where do we draw the line between the behaviour of this library (via configuration) and the implicit behaviour of the |
* Run black. * Make role assumption logic more explicit. * Make role session name optional.
We have a considerable number of profiles and AWS child accounts that require cross-account authentication. Tightly coupling IAM configuration between identity roles and resource access can become difficult (one reason being IAM policy size limits) and keeping our identity roles loosely coupled from some resource access roles makes maintenance easier. We could have additional configuration settings for the AWS SDK to assume the roles, but all the combinations we have would create an explosion of configuration entries. Being able to have loose coupling between the identity roles we use and resource roles in the configuration for this library makes management of all these things much simpler for our users. |
I agree. The first use case for this keyring backend had very little need for configuration at all. While it is convenient to define access/secret keys in the For version 3.x of this backend, I'm tempted to drop support for specifying access/secret keys in configuration and explicitly require users to migrate them to This would substantially limit the configuration options that this library needs to be aware of. |
|
@jmkeyes does this look good to merge? |
| assumed_role = session.client("sts").assume_role( | ||
| RoleArn=config["assume_role"], | ||
| RoleSessionName=config.get( | ||
| "assume_role_session_name", "KeyRingsCodeArtifact" |
There was a problem hiding this comment.
So the AWS SDK will not pick a RoleSessionName for you; you can see the docs that they say they are required. So I have include an explicit default as a fallback instead.
There was a problem hiding this comment.
As mentioned in a comment, I'd like this fallback to be a dynamic value usable for auditing in CloudTrail, but that's not required for this PR.
Almost! Here are some thoughts:
Let me know what you think! |
| aws_access_key_id=config.get("aws_access_key_id"), | ||
| aws_secret_access_key=config.get("aws_secret_access_key"), | ||
| ) | ||
| session = self.get_boto_session(region=region, config=config) |
There was a problem hiding this comment.
As part of 537fe6f, I've created a _get_codeartifact_client instance method that returns an initialized CodeArtifact service client with specific options.
| assumed_role = session.client("sts").assume_role( | ||
| RoleArn=config["assume_role"], | ||
| RoleSessionName=config.get( | ||
| "assume_role_session_name", "KeyRingsCodeArtifact" |
There was a problem hiding this comment.
As mentioned in a comment, I'd like this fallback to be a dynamic value usable for auditing in CloudTrail, but that's not required for this PR.
| @@ -1,2 +1,3 @@ | |||
| pytest >= 6 | |||
| pytest-cov | |||
| pytest-mock | |||
There was a problem hiding this comment.
This shouldn't be necessary with the recent unit test modifications.
There was a problem hiding this comment.
The recent changes to the unit tests in 537fe6f may help clean up these tests.
| - `token_duration`: Validity period (in seconds) for retieved authorization tokens. | ||
| - `aws_access_key_id`: Use a specific AWS access key to authenticate with AWS. | ||
| - `aws_secret_access_key`: Use a specific AWS secret access key to authenticate with AWS. | ||
| - `assume_role`: Role ARN to assume with the current profile name to get the CodeArtifact credentials. |
There was a problem hiding this comment.
I'd like to rename this to assume_role_arn to be more explicit about the content it contains.
2 participants
When fetching credentials after obtaining the boto3 session, we check if the configuration has an optional
assume_rolefield, which indicates that role needs to be assumed to obtain the credentials.If found, the role is assumed and used to obtain the credentails. If not the original boto3 session is used to obtain the credentials.