Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cloud Connectors] Configuration and Flow #2556

Open
moukoublen opened this issue Sep 24, 2024 · 2 comments
Open

[Cloud Connectors] Configuration and Flow #2556

moukoublen opened this issue Sep 24, 2024 · 2 comments
Labels
Team:Cloud Security Cloud Security team related

Comments

@moukoublen
Copy link
Member

moukoublen commented Sep 24, 2024
edited
Loading

Motivation
We need to create a separate configuration for cloud connectors. In that case an indication that cloud connectors is used should be provided (e.g. a enabled flag) and the customer remote-role arn should be also proved via configuration.

During the flow and if the cloud connectors is enabled, cloudbeat should first assume the implicit role provided by the EKS POD Identity association and then having assumed that cloudbeat should assume the customer remote role.

Using the credentials from the customer remote-role cloudbeat should continue to the scan flow.

POC branch: https://github.com/moukoublen/cloudbeat/tree/cc_8.14

Definition of done

  • AWS Single account flow
  • AWS Org account flow
  • CSPM Integration configuration

Related tasks/epics
Reference related issues and epics
@moukoublen moukoublen added the Team:Cloud Security Cloud Security team related label Sep 24, 2024
@eyalkraft
Copy link
Contributor

eyalkraft commented Sep 24, 2024
edited
Loading

@moukoublen Are you sure we need a special case in cloudbeat for this flow?
What would happen if we provide the user's role ARN on the role ARN authentication config option? would it fail?
I'm just wondering if the first role would be implicitly assumed by the SDK which will then mean the second assume would succeed.
wdyt?

This also has implications on how other integration could leverage cloud connectors. Ideally we wouldn't want to have to change every beat and beat to support it, but leverage the existing role-arn config option.

@moukoublen
Copy link
Member Author

moukoublen commented Sep 24, 2024
edited
Loading

@eyalkraft I think for the remote assume to work we need a default config first (so aws SDK to get the token provided by the EKS Pod Identithy agent from the k8s mounted volume) using awsconfig.LoadDefaultConfig and then using that credentials (the elastic super-role) assume the remote one.

I think using the already implemented flow of "role arn to assume" didn't work for me in POC, but I didn't put the effort in, so perhaps it's something else that needs fixing.

So, I will check the flow of "role to assume" as it is implemented from `gibbet' further and post my findings here.

In any case, if we need to implement the described changes in cloudbeat, we could later on do that inside the "role to assume" flow of libbeat, and it would work for every beat.

@oren-zohar oren-zohar changed the title [Cloud Connectors] [MVP] Configuration and Flow [Cloud Connectors] Configuration and Flow Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Cloud Security Cloud Security team related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moukoublen @eyalkraft