-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support cross-account deploys #41
Comments
@lucasnad27 Thank you so much for explaining this issue in such detail. Your solution sounds good and also potentially useful in other use cases. I'd love to receive your PR! |
Glad to hear. I hope to have one ready for review by the end of this week. |
Hey all, I ran into this issue myself today and saw this issue/PR and was wondering if there were any plans to build this support out for the ECS orb? I was able to get around it by doing a weird hack based on what @lucasnad27 was doing. Basically just overriding aws cred envs with generated ones before the update service step (The temp_role=$(aws sts assume-role --role-arn $AWS_DEPLOYMENT_ROLE_ARN --role-session-name "role_session")
echo "export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq .Credentials.AccessKeyId | xargs)" >> $BASH_ENV; source $BASH_ENV;
echo "export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq .Credentials.SecretAccessKey | xargs)" >> $BASH_ENV; source $BASH_ENV;
echo "export AWS_SESSION_TOKEN=$(echo $temp_role | jq .Credentials.SessionToken | xargs)" >> $BASH_ENV; source $BASH_ENV; |
This has been addressed in PR #153 |
Problem
I'm using another aws orb that enables me to assume another role with my circleci aws user. However, I was unable to deploy across multiple aws accounts, utilizing cross account roles with this orb.
Proposed fix
Explicitly set the profile for all
aws ecs
commands and add an optional parameter calledprofile-name
(similar to theaws-cli
orb) as a parameter, with a default of...default
I have a fork that I'd be happy to submit as a pull request if there is some consensus on this being the best way to fix this issue.
Steps to reproduce bug
I was able to track this issue down to the aws cli (read: appears to be an aws cli bug, not a bug in this orb). If you create an aws session token, (which is necessary to assume a cross account role)
aws
commands don't seem to respect this setting unless you explicitly set your profile, even if it is the default. It has the downstream effect of rendering cross account deploys impossible with this orb.Unfortunately, I was only able to reproduce this on a circleci machine, using the ssh feature. I was unable to reproduce on my local machine.
Here's the simplest way to reproduce within a circleci session
Push an update to a circleci project using this snippet of config:
This will fail because a task definition doesn't exist. If you ssh to the box, you can try the following:
aws ecs describe-task-definition --task-definition production-api --include TAGS
returns
An error occurred (ClientException) when calling the DescribeTaskDefinition operation: Unable to describe task definition.
aws ecs describe-task-definition --task-definition production-api --include TAGS --profile default
returns
The crux of the problem here is that by default, the aws cli within a circleci machine is not assuming the cross account role unless you specify the profile in each call.
aws iam get-user
yields...where as
aws iam get-user --profile default
yields a 403 (because my cross account role doesn't have that privilegeThe text was updated successfully, but these errors were encountered: