Skip to content

Comments

Allow passing a roleArn and externalId when using ENV#163

Open
rbclark wants to merge 2 commits intocloudgraphdev:alphafrom
rbclark:add-assume-role-to-env
Open

Allow passing a roleArn and externalId when using ENV#163
rbclark wants to merge 2 commits intocloudgraphdev:alphafrom
rbclark:add-assume-role-to-env

Conversation

@rbclark
Copy link

@rbclark rbclark commented Sep 25, 2023

Changes/solution

I currently have a situation where I am using AWS built in metadata to scan across multiple environments. In this situation I need to assume a cross account role in order to scan the account. This small change allows this to happen.

Testing

I ran this locally both with and without the role assigned and received different results.

Dependencies

N/A

@rbclark rbclark force-pushed the add-assume-role-to-env branch from 8546b6e to fb838b2 Compare September 25, 2023 20:23
@tyler-dunkel
Copy link
Contributor

tyler-dunkel commented Sep 25, 2023

Thanks for the PR! Can you open this against our alpha branch so it can go through our release process?

@rbclark rbclark changed the base branch from main to alpha September 25, 2023 20:33
@rbclark rbclark force-pushed the add-assume-role-to-env branch from fb838b2 to cd1ebb8 Compare September 26, 2023 14:04
@tyler-dunkel
Copy link
Contributor

tyler-dunkel commented Oct 17, 2023

@m-pizarro please take a look at this one as well.

@tyler-dunkel
Copy link
Contributor

tyler-dunkel commented Nov 10, 2023

@rbclark sorry we took so long to take a look at this. I think this is ok to merge after the conflicts are resolved if you still need this functionality.

@m-pizarro
Copy link
Contributor

m-pizarro commented Nov 10, 2023

@rbclark sorry we took so long to take a look at this. I think this is ok to merge after the conflicts are resolved if you still need this functionality.

@tyler-dunkel I just had the chance to test it. It works well for me.

@rbclark
Copy link
Author

rbclark commented Nov 27, 2023

@tyler-dunkel I've gone ahead and rebased this so it should be ready to go.

It turns out my use case ended up being slightly more complicated so I have a patched version that I am running. The issue I ran into is that my scanner runs on ECS instead of EC2. In order to fetch the credentials I need I've had to do the following. If you don't have objections I could go ahead and put up a PR to support this use case as well?

const metadataCredentials = new AWS.ECSCredentials();

metadataCredentials.get(async (err: any) => {
  if (err) {
    this.logger.error('Failed to retrieve credentials from container metadata.');
    this.logger.debug(err);
    return rejectConfig(err);
  }

  const baseCredentials = {
    accessKeyId: metadataCredentials.accessKeyId,
    secretAccessKey: metadataCredentials.secretAccessKey,
    sessionToken: metadataCredentials.sessionToken,
  };

  const sts = new AWS.STS({ credentials: baseCredentials });
  const assumeRoleOptions = {
    RoleSessionName: 'CloudGraph',
    RoleArn: role,
    ...(externalId && { ExternalId: externalId }),
  };

  sts.assumeRole(assumeRoleOptions, (err, data) => {
    if (err) {
      this.logger.error(`Failed to assume role using ARN: ${role}`);
      this.logger.debug(err);
      return rejectConfig(err);
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rbclark @tyler-dunkel @m-pizarro