Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aegea launch will overwrite role definition #71

Open
bkmartinjr opened this issue Nov 10, 2021 · 2 comments
Open

aegea launch will overwrite role definition #71

bkmartinjr opened this issue Nov 10, 2021 · 2 comments

Comments

@bkmartinjr
Copy link

the launch sub-command will set up IAM roles for newly launched instances according to the configuration specified by the user. If multiple users utilize the default (aegea.launch) role, they will clobber each other's configuration.

Example, in a single AWS account:

  • user 1 launches an instance using custom config, eg, adding a policy to the launch role in their .../aegea/config.yml file
  • user 2 launches an instance, with the default config
    At this point, aegea.launch role is reset to the default (missing user 1's customization)

Ideally two user's would not share the namespace when using the default role.
@bkmartinjr
Copy link
Author

Hi @kislyuk - any update on thinking about solutions? I have multiple users who operate in the same account, and who all want to use aegea. The use case is largely running "personal" instances for manual data analysis, etc.

For example, could we have an option to generate a role name that is based upon a per-user unique name or user-specified key in their config?

@kislyuk
Copy link
Owner

kislyuk commented Jan 24, 2022

Hi @bkmartinjr - thanks for reaching out. I'm very swamped right now and would like to take some more time to think about the optimal way to do this. The solution may involve storing configuration information somewhere in the AWS account (like AWS Parameter Store), or (as you suggest) something like aegea launch --personal-iam-role to name the IAM role after the name of the person launching it.

Complicating things is the fact that there is no concept of "user name" when using SSO/AssumeRole/identity federation in AWS (which all enterprises do nowadays) - there is no standard session name, so an assume role session may look like:

  • arn:aws:sts::123456789012:assumed-role/role-name/[email protected]
  • arn:aws:sts::123456789012:assumed-role/role-name/bruce/session-id
  • or even arn:aws:sts::123456789012:assumed-role/role-name/session-id - where the session id is not stable and won't provide enough information to do anything (so I have to make an educated guess at the username and hope that it's correct, or risk proliferating invalid/unused IAM role names).

While I come up with a solution, I recommend putting the following configuration on each user's workstation:

  • ~/.config/aegea/config.yml:
# This is the user configuration file for aegea (https://github.com/kislyuk/aegea).
# For details of aegea configuration management, see https://github.com/kislyuk/aegea#configuration-management
# For a listing of available configuration parameters that can be set here, run `aegea configure`
# or see https://github.com/kislyuk/aegea/blob/develop/aegea/base_config.yml
launch:
  iam_role: bruce-rnd
  manage_iam: true
  iam_policies:
    $extend:
      - AmazonS3FullAccess
      - AmazonSQSFullAccess

replacing "bruce" with the username and "rnd" with the application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kislyuk @bkmartinjr