Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloud: support chaining of assumed roles #14570

Closed
cockroach-teamcity opened this issue Jul 18, 2022 · 0 comments
Closed

cloud: support chaining of assumed roles #14570

cockroach-teamcity opened this issue Jul 18, 2022 · 0 comments

Comments

@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Jul 18, 2022

Exalate commented:

Related PR: cockroachdb/cockroach#83712
Commit: cockroachdb/cockroach@ff917d9


Release note (enterprise change): Allow the ASSUME_ROLE parameter in AWS and
GCP storage and KMS URIs to specify a list of roles with a comma-separated
string. The roles in the list can then be chain assumed in order to access the
resource specified by the URI.

For example, if a destination in S3 can only be accessed by RoleB, and the
identity corresponding to implicit auth can only assume RoleB through an
intermediate role RoleA, then this chain assumption can be specified in the S3
URI:
s3://bucket/key?AUTH=implicit&ASSUME_ROLE=RoleA,RoleB

In addition, remove the "assume" auth mode from AWS URIs, and instead use the
ASSUME_ROLE parameter to indicate that a role should be assumed for
authentication. Below are some examples:

S3: s3:///?AUTH=specified&ASSUME_ROLE=<role_arn>&AWS_ACCESS_KEY_ID=<access_key>&AWS_SECRET_ACCESS_KEY=<secret_key>
AWS KMS: aws:///<key_arn>?AUTH=implicit&REGION=&ASSUME_ROLE=<role_arn>

Jira Issue: DOC-5102

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants