Assume role from profile via instance metadata #383

christopher-dG · 2021-06-18T15:33:01Z

Closes #287

[default]
region = us-east-2

[profile role-to-assume]
region = us-east-2
role_arn = arn:aws:iam::account:role/role-to-assume
credential_source = Ec2InstanceMetadata

julia> using AWS

julia> global_aws_config(; profile="default")
AWSConfig(arn:aws:iam::account:instance-profile/role-from-instance-profile (ASIASWQI5NDNRIZLJ3WJ, pAk..., IQo..., 2021-06-18T21:11:05), "us-east-2", "json")

julia> global_aws_config(; profile="role-to-assume")
AWSConfig(arn:aws:sts::account:assumed-role/role-to-assume/AWS.jl-role-role-to-assume-20210618T152950Z (ASIASWQI5NDNRFEK2HJS, AYR..., IQo..., 2021-06-18T15:44:53), "us-east-2", "json")

Needs some tests of course.

src/AWSCredentials.jl

omus · 2021-06-18T15:35:46Z

bors try

omus · 2021-06-18T15:36:29Z

I'll start the CI before the tests are added just to verify the changes doesn't break anything

bors · 2021-06-18T15:38:39Z

try

Build failed:

Julia 1 - ubuntu-latest - x64

mattBrzezinski · 2021-06-18T15:48:47Z

bors try

src/AWSCredentials.jl

bors · 2021-06-18T15:53:05Z

try

Build succeeded:

src/AWSCredentials.jl

mattBrzezinski

bors r+

bors · 2021-06-18T21:02:14Z

Canceled.

mattBrzezinski · 2021-06-18T21:02:21Z

bors r+

383: Assume role from profile via instance metadata r=mattBrzezinski a=christopher-dG Closes #287 ```ini [default] region = us-east-2 [profile role-to-assume] region = us-east-2 role_arn = arn:aws:iam::account:role/role-to-assume credential_source = Ec2InstanceMetadata ``` ```julia julia> using AWS julia> global_aws_config(; profile="default") AWSConfig(arn:aws:iam::account:instance-profile/role-from-instance-profile (ASIASWQI5NDNRIZLJ3WJ, pAk..., IQo..., 2021-06-18T21:11:05), "us-east-2", "json") julia> global_aws_config(; profile="role-to-assume") AWSConfig(arn:aws:sts::account:assumed-role/role-to-assume/AWS.jl-role-role-to-assume-20210618T152950Z (ASIASWQI5NDNRFEK2HJS, AYR..., IQo..., 2021-06-18T15:44:53), "us-east-2", "json") ``` Needs some tests of course. Co-authored-by: Chris de Graaf <me@cdg.dev> Co-authored-by: mattBrzezinski <matt.brzezinski@invenia.ca>

bors · 2021-06-18T21:08:34Z

Build failed:

Julia 1 - ubuntu-latest - x64

christopher-dG · 2021-06-21T13:03:38Z

bors try

(I dunno if I'm allowed to do this, if not can someone run tests?)

bors · 2021-06-21T13:03:39Z

🔒 Permission denied

Existing reviewers: click here to make christopher-dG a reviewer

mattBrzezinski · 2021-06-21T13:05:08Z

bors try

bors · 2021-06-21T13:07:55Z

try

Build failed:

Julia 1 - ubuntu-latest - x64

christopher-dG · 2021-06-21T13:10:48Z

One more? I think I caught everything now.

mattBrzezinski · 2021-06-21T13:11:13Z

bors try

bors · 2021-06-21T13:13:51Z

try

Build failed:

Julia 1 - ubuntu-latest - x64

mattBrzezinski · 2021-06-21T13:23:56Z

bors try

bors · 2021-06-21T13:26:35Z

try

Build failed:

Julia 1 - ubuntu-latest - x64

christopher-dG · 2021-06-21T13:33:38Z

Now I'm a bit confused, the error seems to indicate that the _http_request_patch is not active. Does a nested apply cancel out any outer applys?

mattBrzezinski · 2021-06-21T14:12:57Z

Now I'm a bit confused, the error seems to indicate that the _http_request_patch is not active. Does a nested apply cancel out any outer applys?

I'm not too familiar with Mocking.jl can we not just do:

apply([patch_1, patch_2]) do

mattBrzezinski · 2021-06-21T14:29:47Z

bors try

christopher-dG · 2021-06-29T21:48:06Z

There's also a line 507 somewhere in the output which is the call to ec2_instance_credentials

christopher-dG · 2021-06-29T21:49:39Z

Here's a full output (it's 100K lines long): out.txt

src/AWSCredentials.jl

christopher-dG · 2021-07-15T14:11:58Z

Ok so I walked through this with a bunch of prints, and the problem is the STS.assume_role which eventually calls check_credentials from sign_aws4!. Since the expiry is mocked to always return a moment in the past, every call to check_credentials is going to return expired credentials.

The immediate fix would be to mock out the STS.assume_role but I'm curious as to why the AssumeRoleWithWebIdentity tests can get away with it but this can't.

Co-authored-by: mattBrzezinski <matt.brzezinski@invenia.ca>

christopher-dG · 2021-07-16T16:07:28Z

@mattBrzezinski could I get a test run?

mattBrzezinski · 2021-07-16T16:11:06Z

bors try

bors · 2021-07-16T16:12:38Z

try

Build failed:

Julia 1 - ubuntu-latest - x64

christopher-dG · 2021-07-16T16:16:58Z

bors try

bors · 2021-07-16T16:21:07Z

try

Build succeeded:

christopher-dG · 2021-07-16T16:33:51Z

success finally! 😄

christopher-dG · 2021-07-16T16:47:46Z

bors try

bors · 2021-07-16T16:51:10Z

try

Build succeeded:

christopher-dG · 2021-07-16T16:52:29Z

@mattBrzezinski one last review? :)

mattBrzezinski

LGTM! :)

mattBrzezinski · 2021-07-16T17:36:12Z

bors r+

383: Assume role from profile via instance metadata r=mattBrzezinski a=christopher-dG Closes #287 ```ini [default] region = us-east-2 [profile role-to-assume] region = us-east-2 role_arn = arn:aws:iam::account:role/role-to-assume credential_source = Ec2InstanceMetadata ``` ```julia julia> using AWS julia> global_aws_config(; profile="default") AWSConfig(arn:aws:iam::account:instance-profile/role-from-instance-profile (ASIASWQI5NDNRIZLJ3WJ, pAk..., IQo..., 2021-06-18T21:11:05), "us-east-2", "json") julia> global_aws_config(; profile="role-to-assume") AWSConfig(arn:aws:sts::account:assumed-role/role-to-assume/AWS.jl-role-role-to-assume-20210618T152950Z (ASIASWQI5NDNRFEK2HJS, AYR..., IQo..., 2021-06-18T15:44:53), "us-east-2", "json") ``` Needs some tests of course. Co-authored-by: Chris de Graaf <me@cdg.dev> Co-authored-by: mattBrzezinski <matt.brzezinski@invenia.ca>

bors · 2021-07-16T17:41:02Z

Build failed:

Julia 1 - macOS-latest - x64

christopher-dG · 2021-07-16T17:42:01Z

error doesn't look like it's anything I had to do with

mattBrzezinski · 2021-07-16T17:53:23Z

bors r+

bors · 2021-07-16T17:57:55Z

Build succeeded:

omus reviewed Jun 18, 2021

View reviewed changes

src/AWSCredentials.jl Outdated Show resolved Hide resolved

bors bot added a commit that referenced this pull request Jun 18, 2021

Try #383:

7b8aa30

bors bot added a commit that referenced this pull request Jun 18, 2021

Try #383:

8d4df33

mattBrzezinski reviewed Jun 18, 2021

View reviewed changes

src/AWSCredentials.jl Outdated Show resolved Hide resolved

ericphanson reviewed Jun 18, 2021

View reviewed changes

src/AWSCredentials.jl Outdated Show resolved Hide resolved

mattBrzezinski approved these changes Jun 18, 2021

View reviewed changes

bors bot added a commit that referenced this pull request Jun 21, 2021

Try #383:

ef9caa2

bors bot added a commit that referenced this pull request Jun 21, 2021

Try #383:

27b3399

bors bot added a commit that referenced this pull request Jun 21, 2021

Try #383:

8372c06

ericphanson reviewed Jun 29, 2021

View reviewed changes

src/AWSCredentials.jl Show resolved Hide resolved

mattBrzezinski reviewed Jun 29, 2021

View reviewed changes

src/AWSCredentials.jl Show resolved Hide resolved

christopher-dG and others added 3 commits July 16, 2021 13:03

Attempt to mock AWSServices.sts

764ce39

Apply suggestions from code review

0509bb1

Co-authored-by: mattBrzezinski <matt.brzezinski@invenia.ca>

Merge branch 'master' into cdg/instance-metadata-credentials

d2c986e

bors bot added a commit that referenced this pull request Jul 16, 2021

Try #383:

10c8339

oops, fix review suggestion

ef5067f

bors bot added a commit that referenced this pull request Jul 16, 2021

Try #383:

5e6def5

More interpolation instead of concatenation

7ddee43

bors bot added a commit that referenced this pull request Jul 16, 2021

Try #383:

f438b47

mattBrzezinski approved these changes Jul 16, 2021

View reviewed changes

bors bot merged commit d2a2359 into JuliaCloud:master Jul 16, 2021

Assume role from profile via instance metadata #383

Assume role from profile via instance metadata #383

Conversation

christopher-dG commented Jun 18, 2021

omus commented Jun 18, 2021

omus commented Jun 18, 2021

bors bot commented Jun 18, 2021

try

mattBrzezinski commented Jun 18, 2021

bors bot commented Jun 18, 2021

try

mattBrzezinski left a comment

Choose a reason for hiding this comment

bors bot commented Jun 18, 2021

mattBrzezinski commented Jun 18, 2021

bors bot commented Jun 18, 2021

christopher-dG commented Jun 21, 2021

bors bot commented Jun 21, 2021

mattBrzezinski commented Jun 21, 2021

bors bot commented Jun 21, 2021

try

christopher-dG commented Jun 21, 2021

mattBrzezinski commented Jun 21, 2021

bors bot commented Jun 21, 2021

try

mattBrzezinski commented Jun 21, 2021

bors bot commented Jun 21, 2021

try

christopher-dG commented Jun 21, 2021

mattBrzezinski commented Jun 21, 2021

mattBrzezinski commented Jun 21, 2021

christopher-dG commented Jun 29, 2021

christopher-dG commented Jun 29, 2021

christopher-dG commented Jul 15, 2021

christopher-dG commented Jul 16, 2021

mattBrzezinski commented Jul 16, 2021

bors bot commented Jul 16, 2021

try

christopher-dG commented Jul 16, 2021

bors bot commented Jul 16, 2021

try

christopher-dG commented Jul 16, 2021

christopher-dG commented Jul 16, 2021

bors bot commented Jul 16, 2021

try

christopher-dG commented Jul 16, 2021

mattBrzezinski left a comment

Choose a reason for hiding this comment

mattBrzezinski commented Jul 16, 2021

bors bot commented Jul 16, 2021

christopher-dG commented Jul 16, 2021

mattBrzezinski commented Jul 16, 2021

bors bot commented Jul 16, 2021