-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Boundary provider needs assume_role #62
Comments
@jorhett I want to make sure you're not conflating the Boundary configuration HCL with Terraform HCL. In your comment below, it sounds like you're comparing the AWS Terraform provider with the Boundary configuration HCL:
Though the Boundary configuration uses HCL, it's not Terraform. Secondly, I'm not following the logic here:
An instance profile is actually assuming a role under the hood, the trust policy associated with the instance profile allows this behavior. Is there some reason you can't reduce the privileges of the role associated with the instance profile? |
@malnick Everything I wrote is about your Terraform provider for Boundary. Nothing in here is anything other than Terraform.
Dozens of reasons, all of which are covered extensively in the discussions that led to the role assumption being added to Terraform's AWS provider. TL;DR this would require running one node just to do deployments for each and every Boundary cluster, which would be 16x nodes ATM and probably double that soon. It would also require sequencing the CI job across dozens of nodes since different parts of the job use different profiles. Even just writing the CI logic to ensure the right node with the right AWS profile is selected for each job would be seriously non-trivial and require CI node deployment management that we don't have today... because the Terraform AWS role assumption code was designed exactly to solve this problem |
Note that the provider doesn't actually construct any of the KMS stuff on its own. It just passes the HCL to a Boundary helper which itself just formats it and passes it to https://github.com/hashicorp/go-kms-wrapping. So this issue will not result in any actionable work within this repo (other than pulling in updated deps). |
I'm also facing the same issue as Jo, with multi account AWS and SSO you assume a role in order to not have to create user accounts in X number of AWS accounts. When you supply the HCL for awskms it looks for that key using the AWS_PROFILE you have set so in my case it's looking for a kms arn in a completely different account to where boundary is running which has the kms lookup via an instance profile. Adding the assume_role to the provider to negate this would help solve this I believe. I've also had this using the CLI so in either method per the docs you won't be able to authenticate unless you're a user in the same account where boundary lives. |
It's pretty hard to understand what you mean by this response. I want to interpret it to mean that you grasp we just need to pass the Is it a request that I open a related issue for parsing the additional block in another repo? |
What I meant is that the HCL is parsed by a different library that ultimately seeds that into the configuration at https://www.github.com/hashicorp/go-kms-wrapping/tree/master/wrappers/awskms/awskms.go So the kms configuration is opaque to the provider. The only thing the provider could do is update deps when it's fixed elsewhere. I don't know much about AWS authentication, however if someone that does wants to tackle this, the file I linked above is where support would need to be added. |
Hello @jefferai @jorhett I have similar error, how do I handle it? But mine happens when I try I have checked my AWS, there is nothing like that but why the error? |
It's been a while since I've done AWS administration, and maybe I'm not reading this correctly, but isn't it possible to assume the role of another account through the instance profile itself? I believe you can do this by configuring the trust policy and IAM instance profile per this guide: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html Once you do that, the provider should get a access key, id, and token through the loopback interface on the host where Terraform is being ran. On the other hand, if you're running the provider from a host outside of EC2, the best workaround for this is using the AWS CLI to set the correct env vars using |
Well for everyone having the issue, just confirm the IAM roles and you are good to go |
Yes, and the go-kms-wrapping supports aliased AWS providers. But your code doesn't pass that along. No upstream change is going to fix a limitation of what syntax your provider accepts.
The way to assume a role in Terraform is to provide an aliased provider with the assumed role declared. Here's Hashicorp's documentation for doing this:
But the Boundary provider doesn't accept this: it requires the use of This is exactly what I'm asking you to support-- start with Hashicorp's docs on the AWS provider setup for role assumption, and then make it possible to use that configuration in your provider. |
Any updates on this issue? |
The same issue applies to GCP serviceaccount impersonation with gcpckms. |
Seems like this was added https://www.boundaryproject.io/docs/configuration/kms/awskms#role_arn ...but there's no explanation of what value should be in |
mwalling poked into the code and figured out that the role assumption assumes a Saml web assignment hashicorp/go-secure-stdlib#33 The SDK has a role assumption provider (which the web provider is actually a child class of) but there was no code to implement it. I created hashicorp/go-secure-stdlib#33 to show how easy the implementation is, and hopefully convince @jefferai @malnick etc to implement it |
@jorhett thanks for running with that! (@cf-mwalling is my |
Any updates on this? I think most of people run terraform out of EC2 instances. |
There was a significant update to the underlying |
I've come across this as well. We're having one AWS mgmt account where you log in. But store all resources in other separate accounts per environment, which we access by assuming roles in all the different accounts. And I'm having this same problem where the Boundary Terraform provider won't do a correct assume role to be able to access the awskms key stored in a separate account to be able to provision boundary. I've tried having both the KMS key in the same account as the boundary controller I'm trying to provision, but it still isn't able to retrieve the KMS restore key so that I'm able to configure the first boundary auth method. The way we run Terraform is also through our workstations rather than on EC2 machines. I've seen in comments and in code the mention that it should now be able to use this through EC2. But that is not how we have our environment setup. So I am also very curios on what the the timescale and roadmap looks like to get this fixed and have a similar functionality to the AWS provider with assume_role that works really well for that provider, in the boundary provider. |
Terraform Version
Any
Affected Resource(s)
None
Terraform Configuration Files
Expected Behavior
What should have happened?
Need to be able to assume a different role for access to KMS resource.
Actual Behavior
What actually happened?
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform plan
Important Factoids
When using the Terraform provider you are running from a workstation or CI system, not from the instance node. While it would be possible to create a CI node in EC2 which has a god-like instance profile, this is a lot less secure than specific role assumption rights given to specific jobs.
While it can be made to work by setting environment variables, the AWS provider with role assumption will be overridden by the environment variables, as documented at https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication, thus breaking all AWS resources in the same plan.
The AWS provider is based on the same SDK, so it would have the same abilities if you added the same attributes to the Boundary provider schema.
References
Too many to list in hashicorp/terraform-provider-aws
The text was updated successfully, but these errors were encountered: