Add aws assume role plugin #15294
Add aws assume role plugin #15294
Conversation
|
@chadmf thoughts on pulling in this credential plugin? |
|
kicking CI |
|
LGTM! |
github-actions
bot
added
component:awx_collection
Signed-off-by: Derek <[email protected]>
Signed-off-by: Derek <[email protected]>
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
Signed-off-by: Derek <[email protected]>
derekwaters
force-pushed
the
add_aws_assume_role_plugin
branch
from
28dc514
to
3f001d7
Compare
|
Now updated to pass unit tests properly, and adjusted for Sonarcloud scan. Sorry about the previous unit testing and linting failures, poor form on my part. |
|
re kicked CI @derekwaters and no worries. |
There was a problem hiding this comment.
rebased and waiting for CI to finish. thanks for the contribution @derekwaters
|
|
Also @derekwaters do note that this code will be affected by our new architecture work to move inv plugins and creds out of the AWX. A forum post can be found talking about it. I didn't want to get into a state of you doing all of this work here and then us cutting things and this not be there, thus forcing you to recontribute already "done" work. Either myself or @chrismeyersfsu in #15476 will cut over the work to the new repo (https://github.com/ansible/awx-plugins) and make sure that commit history and authorship is preserved. |
|
Thanks @thedoubl3j I am aware of that move, I'm happy to rework if necessary in the new repo, but if this can go in before the refactor, then great. |
|
@derekwaters the corresponding code for other things is already in the other repo. So here it'll only be a removal and wiring up the dependency. That repo, though, is still in progress of integrating the migrated code with the dev/test infra. You can make a PR already but it'll be a minute until the infra becomes able to accept it. |
|
any update on this? still waiting for this feature.! |
SUMMARY
This change adds a new credential plugin that allows for the lookup of temporary AWS credentials using the AWS AssumeRole API. An AWS User Account may be configured either in the AssumeRole credential plugin (with an Access Key and Secret Key) or the default AWS API authentication may be used within the execution environment.
Prior to execution a job, the AWS AssumeRole API is called with the specified role name (ARN). If the authentication is successful, a temporary Access Key, Secret Key and Session Token are generated by AWS and used to populate a standard AWS Access Credential.
ISSUE TYPE
COMPONENT NAME
AWX VERSION
ADDITIONAL INFORMATION
AWS AssumeRole API information can be found here:
https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html#output
Details of how this plugin works (from when it was implemented as a custom user-installed plugin) can be found here:
https://derekwaters.github.io/ansible/execution/environments/credentials/aws/sts/assume/role/2023/12/21/building-a-custom-credential-plugin.html