Preferred Usage Patterns -- Role Chaining

Question

Preferred Usage Patterns -- Role Chaining

rpattcorner opened this issue 2 years ago · 2 comments

aws-adfs offers some serious advantages over our current bash scripting for AD-based credentials. But for it to be useful in the use cases I have, I'll need to extend it ... either from the outside (in a script wrapper) or by forking and extending (obviously harder!). How have people extended it up to now architecturally?

The main issue and use case is role chaining. There is a series of accounts that users access by:

Authenticating with AD (scripted) which accesses a neutral role with only privileges to assume other roles in other accounts
Chaining to target roles in the target accounts using the initial AD role assume credentials

This architecture is quite common with the advent of AWS Organizations and account-per-project architectures. So I wonder if anyone solved this chaining scenario using aws-adfs?

If not:

I see current code can write the temporary creds to the usual environment variables for postprocessing via --printenv. I assume that's the way to move forward in a wrapper script?
Is there an obvious point in code to internally extend the functionality and have aws-adfs do the chaining? If so, is there an obvious place to put the secondary configuration, e.g. all role arns the initial role can chain to
Is there an existing mode where current code can be addressed as a python library from a custom python wrapper?
Other thoughts?

Then there's time limits, especially with role chaining. I see from your example that aws-adfs can be placed (manually?) in the ~/.aws/config like this:

[profile example-role-ue1]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout

but it's not clear from the AWS doc how that command is activated. Is this credential_process something that is somehow automatically run as temporary creds expire? How is that line processed/run/made effective?

If we were able to usably extend to chained roles, credential_process might solve the problem of long-running jobs dying after the statutory one hour lifetime on chained creds.

Anyway, thoughts welcome! Thanks for a great capability!

Answer 1 · 2023-02-01T15:42:50.000Z

Hi @rpattcorner,

In our use case, role chaining is accomplished using native AWS CLI features, e.g.:

[profile base-adfs-profile]
credential_process=aws-adfs login --region=us-east-1 --role-arn=arn:aws:iam::1234567891234:role/example-role --adfs-host=adfs.example.com --stdout

[profile chained-profile]
role_arn = arn:aws:iam::2345678912345:role/my-role
source_profile = base-adfs-profile

Regarding credential_process, it is the responsibility of the invoked command to cache credentials if desired:

Note: The AWS CLI does not cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process.

See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

Answer 2 · 2023-02-02T15:19:49.000Z

Many thanks @pdecat . That's really helpful!