AWS integration per-environment role management
Problem to solve
Beyond #26777 (closed), it would be good to have a way to have the equivalent of aws sts assume-role …
managed by the AWS integration, and configurable per-environment.. or perhaps even per-job. That way, it's easier to write generic CI jobs for multiple projects, and delegate the handling of AWS credentials and sessions to something else instead of coding all the possibilities into each job.
Target audience
-
Devon, DevOps Engineer, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#devon-devops-engineer
-
Sidney, Systems Administrator, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sidney-systems-administrator
Further details
Sourced from comment https://gitlab.com/gitlab-org/gitlab-ce/issues/57780#note_146661044
aws sts assume-role
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.
Examples: To assume a role:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
The output of the command contains an access key, secret key, and session token that you can use to authenticate to AWS:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
The outputs:
AccessKeyId -> (string)
The access key ID that identifies the temporary security credentials. SecretAccessKey -> (string)
The secret access key that can be used to sign requests. SessionToken -> (string)
The token that users must pass to the service API to use the temporary credentials. Expiration -> (timestamp)
The date on which the current credentials expire. AssumedRoleUser -> (structure)
The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the resulting temporary security credentials. For example, you can reference these credentials as a principal in a resource-based policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName that you specified when you called AssumeRole .
AssumedRoleId -> (string)
A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created. Arn -> (string)
The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide . PackedPolicySize -> (integer)
A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. The request fails if the packed size is greater than 100 percent, which means the policies and tags exceeded the allowed space.
Proposal
TBD
Permissions and Security
TBD but can likely follow existing security controls
The temporary security credentials created by AssumeRole can be used to make API calls to any AWS service with the following exception: You cannot call the AWS STS GetFederationToken or GetSessionToken API operations.
Documentation
TBD
What does success look like, and how can we measure that?
TBD - possibly just measuring usage of main feature.
Links / references
https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html