-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add aws assume role plugin #15294
base: devel
Are you sure you want to change the base?
Add aws assume role plugin #15294
Conversation
@chadmf thoughts on pulling in this credential plugin? |
kicking CI |
LGTM! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
linting fixes
Signed-off-by: Derek <[email protected]>
Signed-off-by: Derek <[email protected]>
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
Signed-off-by: Derek <[email protected]>
28dc514
to
3f001d7
Compare
Now updated to pass unit tests properly, and adjusted for Sonarcloud scan. Sorry about the previous unit testing and linting failures, poor form on my part. |
re kicked CI @derekwaters and no worries. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rebased and waiting for CI to finish. thanks for the contribution @derekwaters
Quality Gate passedIssues Measures |
Also @derekwaters do note that this code will be affected by our new architecture work to move inv plugins and creds out of the AWX. A forum post can be found talking about it. I didn't want to get into a state of you doing all of this work here and then us cutting things and this not be there, thus forcing you to recontribute already "done" work. Either myself or @chrismeyersfsu in #15476 will cut over the work to the new repo (https://github.com/ansible/awx-plugins) and make sure that commit history and authorship is preserved. |
Thanks @thedoubl3j I am aware of that move, I'm happy to rework if necessary in the new repo, but if this can go in before the refactor, then great. |
@derekwaters the corresponding code for other things is already in the other repo. So here it'll only be a removal and wiring up the dependency. That repo, though, is still in progress of integrating the migrated code with the dev/test infra. You can make a PR already but it'll be a minute until the infra becomes able to accept it. |
any update on this? still waiting for this feature.! |
SUMMARY
This change adds a new credential plugin that allows for the lookup of temporary AWS credentials using the AWS AssumeRole API. An AWS User Account may be configured either in the AssumeRole credential plugin (with an Access Key and Secret Key) or the default AWS API authentication may be used within the execution environment.
Prior to execution a job, the AWS AssumeRole API is called with the specified role name (ARN). If the authentication is successful, a temporary Access Key, Secret Key and Session Token are generated by AWS and used to populate a standard AWS Access Credential.
ISSUE TYPE
COMPONENT NAME
AWX VERSION
ADDITIONAL INFORMATION
AWS AssumeRole API information can be found here:
https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html#output
Details of how this plugin works (from when it was implemented as a custom user-installed plugin) can be found here:
https://derekwaters.github.io/ansible/execution/environments/credentials/aws/sts/assume/role/2023/12/21/building-a-custom-credential-plugin.html