Add support for account switching roles

Question

Add support for account switching roles

sganslandt opened this issue 6 years ago · 5 comments

Trying to use this at work we're unable to use our existing access keys and since they come from an AWS account which only has IAM users and little else. These users are then granted the ability to assume roles in different accounts where they can manage resources related to this account. The typical setup of ~/.aws/config and ~/.aws/credentials is something along the lines of...

~/.aws/credentials

[shared]
aws_access_key_id = <my-access-key-id>
aws_secret_access_key = <my-secret-access-key>
region = eu-west-1

~/.aws/config

[profile shared]
output = json
region = eu-west-1

[profile dev]
role_arn = <role from the dev account which allows me do do stuff, like launching ec2 instances>
source_profile = shared

Just this setup (which is what I'm using for everything aws cli), with aws.aws_profile = "dev" gives me a ~/.vagrant.d/gems/2.4.3/gems/vagrant-aws-0.7.2/lib/vagrant-aws/config.rb:537:in read_aws_files': undefined method []' for nil:NilClass (NoMethodError) and it appears like credentials needs to have a matching section for the profile. Putting my shared key in a [dev] section in ~/.aws/credentials, ending up with
~/.aws/credentials

[shared]
aws_access_key_id = <my-access-key-id>
aws_secret_access_key = <my-secret-access-key>
region = eu-west-1

[dev]
aws_access_key_id = <my-access-key-id>
aws_secret_access_key = <my-secret-access-key>
region = eu-west-1

~/.aws/config

[profile shared]
output = json
region = eu-west-1

[profile dev]
role_arn = <role from the dev account which allows me do do stuff, like launching ec2 instances>
source_profile = shared

gets me to...

... Subnet ID not found, suggesting that it's not trying to create the instance in the dev account, but rather in the shared account.

Haven't dug into the code and not sure if this is a bug, feature or a lacking feature :)

Answer 1 · 2018-08-16T03:18:04.000Z

This is not the same as using .aws/config and .aws/credentials, but I can use this plugin successfully with an assumed role by making sure these vars are set in my environment:

export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=YYY
export AWS_SESSION_TOKEN=ZZZ

(they come from aws sts assume-role command)

Answer 2 · 2018-08-17T09:23:29.000Z

I tried this just recently and had trouble with identification, the error message being

/home/alinoe/.vagrant.d/gems/2.4.3/gems/excon-0.62.0/lib/excon/middlewares/expects.rb:7:in `response_call': AuthFailure => Credential must have exactly 5 slash-delimited elements

Did you encounter the same issue ?

I can provide a full debug log if it helps.

Answer 3 · 2018-08-17T16:37:58.000Z

I think you have accidentally mixed up the values of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

Answer 4 · 2019-07-19T12:36:26.000Z

Would love to see this addressed.

Answer 5 · 2020-02-11T17:31:25.000Z

Here's a way to do this in the Vagrantfile:

require "iniparse"

def get_role_creds(profile, session_name)
  # Run aws sts assume-role to get temporary creds for the assumed role
  data = File.read(open(ENV['HOME'] + '/.aws/config'))
  aws_config = IniParse.parse(data)
  profile_config = aws_config['profile ' + profile]
  role_arn = profile_config['role_arn']
  json = `aws sts assume-role --role-arn #{role_arn} --role-session-name #{session_name}`
  session_data = JSON.parse(json)
  creds = session_data['Credentials']
  return creds
end

Vagrant.configure("2") do |config|
  config.vm.box = "dummy"

  aws_profile = 'myprofile'
  aws_session_name = 'my_session_name_vagrant'
  creds = get_role_creds(aws_profile, aws_session_name)

  config.vm.provider :aws do |aws, override|
    aws.region = "us-west-2"
    aws.access_key_id = creds['AccessKeyId']
    aws.secret_access_key = creds['SecretAccessKey']
    aws.session_token = creds['SessionToken']

    # ...

  end

end