STS session support, assuming temporary role (!54) · Merge requests · GitLab.org / Ops Sub-Department / custom-executor-drivers / AWS Fargate driver for Custom Executor

Fabien COMTE requested to merge comtef/fargate:feature/sts_session_support into master Mar 21, 2021

What does this MR do?

This MR adds support for STS session in order to assume a role with specific permissions. Variables can be added to the assume role request as tags. It enables IAM rules using tags based on gitlab variables.

Why was this MR needed?

On a shared gitlab instance running on EC2 with an instance role, each gitlab project can run pipelines on fargate with custom roles.

Each project can be allowed to use a given role it can assume to launch ECS tasks.

What's the best way to test this MR?

Configure a job to use a role to run the fargate tasks.

variables:
  ROLE_ARN: arn:aws:iam::xxxxxxx:role/role_name
  SESSION_VARS: CI_PROJECT_ID,CI_PROJECT_PATH,GITLAB_USER_EMAIL

The AWS principal running the custom executor must be allowed to assume the configured role. If variables are added, session tagging must also be allowed.

Edited Feb 01, 2023 by Fabien COMTE

STS session support, assuming temporary role

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

Merge request reports