jorgebastida/gordon

Option to use existing IAM roles instead of dynamically creating roles

mparaz opened this issue · 4 comments

mparaz commented

I would like the option of the CloudFormation template to make use of existing IAM roles, instead of dynamically creating them.

One scenario is when the user running Gordon, or manually creating the CloudFormation stack, does not have IAM privileges.

ahl commented

I've done this with role

https://gordon.readthedocs.io/en/latest/lambdas.html#role

Does that work for you?

brianantonelli commented

Even when providing the ARN I still get en exception from it attempting to call iam:list_users. I'm doing this from a federated account that does not have IAM access.

My settings.yml

lambdas:
  helloworld:
    code: helloworld
    handler: code.handler
    runtime: nodejs4.3
    role: arn:aws:iam::#######:role/acct-managed/Lambda-Deploy

Running apply:

Applying project...
Traceback (most recent call last):
  File "/usr/bin/gordon", line 11, in <module>
    load_entry_point('gordon==0.5.0', 'console_scripts', 'gordon')()
  File "/usr/lib/python2.7/site-packages/gordon/bin.py", line 109, in main
    getattr(obj, options.func)()
  File "/usr/lib/python2.7/site-packages/gordon/core.py", line 426, in apply
    context.update(self.collect_parameters())
  File "/usr/lib/python2.7/site-packages/gordon/core.py", line 459, in collect_parameters
    aws_account_id = boto3.client('iam').list_users(MaxItems=1)['Users'][0]['Arn'].split(':')[4]
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 543, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the ListUsers operation: The security token included in the request is invalid.
  • 👍1
kerryhatcher commented

Looks like what Gordon really cares about is the account id. We can just add that as an config var:

gordon/gordon/core.py

Line 454 in c9b83ea

# Retrieve the account_id of the credentials currently in use.

  • 👍1
kerryhatcher commented

Next issue is that gordon.contrib.lambdas had a policy defined, so even if you have a role configured for your application, gordon still tries to create one for the contrib function.

See:
https://github.com/jorgebastida/gordon/blob/master/gordon/contrib/lambdas/settings.yml#L11
https://gordon.readthedocs.io/en/latest/contrib.html