[Workflows-549] remove iam users #312
Conversation
|
|
@zaro0508 I would appreciate your insights on these changes (this PR along with its prior PR). Based on my preliminary research, the IAM role for Seqera, named As Seqera's instruction regarding creating IAM artifacts, I submitted this PR by adding a TowerRoleProfile and attach the Even though the credential has been added, another error: Can you enlighten me on what could cause the issue? Also, can you share more on how you expect the |
| data = { | ||
| "credentials": { | ||
| "name": self.stack_name, | ||
| "provider": "aws", | ||
| "keys": { | ||
| "accessKey": credentials["aws_access_key_id"], | ||
| # "accessKey": credentials["aws_access_key_id"], |
There was a problem hiding this comment.
i believe the key to setting this key is to look at line #544, response = self.tower.request("POST", endpoint, params=params, json=data). That is using the seqera tower credentials API to Creates new Tower credentials. According to the API docs, passing in an assumeRoleArn also requires accessKey and secretKey therefore this will not work.
There was a problem hiding this comment.
Yes, this is the confusing part I have. I remembered it worked when keeping the accessKey and secretKey. However, as my understanding based on this doc, the accessKey and secretKey should be no longer needed if implementing role based authentication. Instead, the AWS role arn is used after the IAM artifacts is created and new credentials are added in Seqera.
There was a problem hiding this comment.
Unfortunately this deployment setup does not fit with the assume role use case that's explained in the seqera docs. This script configure-tower-projects.py is executed with a Github action which means it is running in a Github supplied instance, NOT an AWS instance. Only AWS instances are setup to assume roles that give access to the Seqera app (and APIs).
Also the doc you referenced says AWS-based customers can configure Seqera Platform to authenticate to AWS services like Batch with an IAM Role instead of IAM user credentials which means that setup allows Seqera access to access AWS. However this script is doing a POST request to Seqera which means it needs access to Seqera. There is no way to allow a Github instances to assume a role to access Seqera unless Seqera allows setting up a trust relationship (via OIDC) between the two entities.
Problem:
The AWS credentials can't be populated with IAM role arn. And
get_secret_valuefunction does not work with IAM role arn. Ideally, after converting to using IAM role, we no longer need to use accessKeys as the AWS credential of the Tower workspaces. Instead, we use AWS arn (see this instruction)Solution:
As the Seqera's instruction, an instance profile should be created and attached with the IAM role. My understanding is that creating InstanceProfile for the role would allow EC2 to receive the IAM role credential when it assumes the role.
Testing:
The credential can be saved in Tower right now, but another error: {'message': "Cannot determine region of bucket 'example-dev-project-tower-scratch'"} popped up when generating the computation environment. The errors lie in these lines