Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provider/aws: Added sts:GetCallerIdentity to GetAccountId for federated logins #6385

Merged
merged 2 commits into from
May 5, 2016

Conversation

bigkraig
Copy link
Contributor

The STS GetCallerIdentity function works for fetching the account id no matter how you're authenticated.

There appears to be a complicated GetAccountId function in auth_helpers.go that accomplishes the same thing. Since I don't know why that was created I didn't update that use, but I think that may be able to use the same method.

@radeksimko
Copy link
Member

Thanks for discovering sts:GetCallerIdentity! 👍 It looks like AWS is listening to our requests, that's great! 😃

We could possibly use this to replace iam:ListRoles in auth_helpers.go, but the caveat of STS is that users can enable/disable STS per regions, so I'm rather thinking we'll make it one of the ways to discover account ID and probably put it in front of iam:ListRoles as hacks should always go last. That way we also don't need to introduce any breaking changes and make it work for people that have sts disabled for any reasons.

There appears to be a complicated GetAccountId function in auth_helpers.go that accomplishes the same thing.

That method is there to get around differences in environments where Terraform can run:

  • EC2 instance (IAM instance profile)
  • federated IAM roles
  • standard IAM Users

I'm happy to bump the aws-sdk-go version but not inclined to use sts:GetCallerIdentity as the only method nor inclined to use it directly in each resource. It should be part of auth_helpers.go.

In addition to all of the above resources should not be calling GetAccountId function directly. The only reason I exported this function was #5270

We should call that function once and save the account ID somewhere (possibly to AWSClient which is passed to each resource via meta argument), so that it's cached during the terraform run and resources don't ask API again for what we know already.

@radeksimko radeksimko added enhancement waiting-response An issue/pull request is waiting for a response from the community provider/aws labels Apr 28, 2016
@bigkraig bigkraig force-pushed the use-sts-GetCallerIdentity branch from 21818f4 to 5e122e5 Compare April 28, 2016 18:00
@bigkraig
Copy link
Contributor Author

@radeksimko let me know what you think. I added accountid to the AWSClient.

It looks good so far, I ran this against an existing deployment and it added tags to my aws_db_subnet_group.

func getMockedAwsIamApi(endpoints []*iamEndpoint) (func(), *iam.IAM) {
// getMockedAwsIamStsApi establishes a httptest server to simulate behaviour
// of a real AWS' IAM & STS server
func getMockedAwsIamStsApi(endpoints []*iamEndpoint) (func(), *iam.IAM, *sts.STS) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind also adding the actual STS mock responses (for success + error) and two tests testing STS?

  1. iam:GetUser - 403 (failure) => sts:GetCallerIdentity - 200 (success)
  2. iam:GetUser - 403 (failure) => sts:GetCallerIdentity - any failure => iam:ListRoles - 200 (successful fallback to ListRoles)

You can use examples of responses from the API reference as mocks: http://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html

@radeksimko
Copy link
Member

I left you some comments there, but overall this looks pretty good, I think it's quite close to to be merged. 👍 😉

Would you mind separating this into two PRs - one for adding the sts:GetCallerIdentity into GetAccountId etc. and another one for modifying all the resources that would leverage this new functionality?

@bigkraig bigkraig force-pushed the use-sts-GetCallerIdentity branch from ad6a917 to 7f9db15 Compare April 29, 2016 20:25
@bigkraig
Copy link
Contributor Author

@radeksimko this one is updated to be the PR for sts:GetCallerIdentity only

@bigkraig bigkraig changed the title Fix building ARNs for RDS resources when using IAM roles Added sts:GetCallerIdentity to GetAccountId for federated logins Apr 29, 2016
@bigkraig bigkraig changed the title Added sts:GetCallerIdentity to GetAccountId for federated logins provider/aws: Added sts:GetCallerIdentity to GetAccountId for federated logins May 2, 2016
@radeksimko radeksimko self-assigned this May 4, 2016
@radeksimko
Copy link
Member

The second commit 7f9db15 LGTM, but I've got two reservations about the first one with dependencies:

  1. There are some conflicts which need resolving
  2. I think we'd prefer pinning to tagged versions rather than specific hashes if possible - i.e. v1.1.21 instead of v1.1.21-3-ge906984.

@bigkraig bigkraig force-pushed the use-sts-GetCallerIdentity branch 3 times, most recently from d31ac4a to 8dadb51 Compare May 5, 2016 01:08
@bigkraig
Copy link
Contributor Author

bigkraig commented May 5, 2016

@radeksimko hows this?

@radeksimko
Copy link
Member

radeksimko commented May 5, 2016

@bigkraig just one last thing - can you update your godep to avoid these two lines in the diff?

-   "GodepVersion": "v63",
+   "GodepVersion": "v62",

Try go get -u github.com/tools/godep.

bigkraig added 2 commits May 5, 2016 07:02
…ary includes GetCallerIdentity which can be used to build ARNs for RDS resources when using IAM roles
…hase. We use iam.GetUser(nil) scattered around to get the account id, but this isn't the most reliable method. GetAccountId now uses one more method (sts:GetCallerIdentity) to get the account id, this works with federated users.
@bigkraig bigkraig force-pushed the use-sts-GetCallerIdentity branch from 8dadb51 to a23bcf2 Compare May 5, 2016 14:03
@bigkraig
Copy link
Contributor Author

bigkraig commented May 5, 2016

@radeksimko done!

@radeksimko radeksimko removed the waiting-response An issue/pull request is waiting for a response from the community label May 5, 2016
@radeksimko radeksimko merged commit e32a8c1 into hashicorp:master May 5, 2016
radeksimko added a commit that referenced this pull request May 5, 2016
radeksimko added a commit that referenced this pull request May 5, 2016
radeksimko added a commit that referenced this pull request May 5, 2016
aws: Update docs after #6385 (account ID via sts)
bigkraig pushed a commit to ticketmaster/terraform that referenced this pull request May 5, 2016
cristicalin pushed a commit to cristicalin/terraform that referenced this pull request May 24, 2016
@ghost
Copy link

ghost commented Apr 26, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants