Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Roles are not supported #54

Open
ghost opened this issue Feb 23, 2018 · 4 comments
Open

Roles are not supported #54

ghost opened this issue Feb 23, 2018 · 4 comments
Assignees

Comments

@ghost
Copy link

ghost commented Feb 23, 2018

The way the client is being instantiated, the role_arn is being ignored from the config/credentials file. According to a comment in issue 1256 of the aws-ruby-sdk, it appears the recommended way of instantiating a client is to pass the options in as a hash and let the SDK work out the security configuration.

For example:

  client_cfg = {}
  client_cfg[:region] = s3_region if s3_region
  client_cfg[:endpoint] = s3_endpoint if s3_endpoint
  client_cfg[:profile] = s3_profile if s3_profile
  client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key) if s3_access_key && s3_secret_access_key

        s3_client = Aws::S3::Client.new(client_cfg)

Here is a sample ~/.aws/credential

aws_access_key_id=XXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXXXXXXXXX

[pitdevops]
role_arn=arn:aws:iam::000000000000:role/RoleName
source_profile=default

I will create a PR

@ghost
Copy link
Author

ghost commented Apr 28, 2020

@joshdholtz, is this issue resolved by PR #86? I will try to test myself, but don't have an environment setup at the moment.

I have doubts as I thought Instance profiles were for EC2. If my understanding is correct, then shouldn't PR #86 have introduced a boolean flag to indicate whether to use InstanceProfile or not. If false and no other s3_* flags are set then the credentials would be resolved from the environment, which is what I am proposing in this ticket / PR #55

@joshdholtz
Copy link
Member

@timothy-volvo I’ll take a deeper look today! I thought it did but I will make sure.

@joshdholtz joshdholtz self-assigned this Apr 28, 2020
@mrosales
Copy link

#86 still won't resolve this. As an example, using STS credentials, you must pass AWS_ACCESS_KEY_ID, AWS_ACCESS_SECRET_KEY and AWS_SESSION_TOKEN. After this PR, roles assumed by STS will still not work because specifying the first two as parameters will result in incomplete credentials and omitting them results in using InstanceProfileCredentials rather than the default chain.

AWS uses some non-trivial logic to initialize a session, so unless this plugin is doing something special or custom to initialize the session, I would strongly suggest using the default credential provider chain as the default if you don't specify explicit credentials instead of using AWS:: InstanceProfileCredentials

Here's the source to what the credential chain tries to do:

It includes:

  • static_credentials
  • static_profile_assume_role_web_identity_credentials
  • static_profile_assume_role_credentials
  • static_profile_credentials
  • static_profile_process_credentials
  • env_credentials
  • assume_role_web_identity_credentials
  • assume_role_credentials
  • shared_credentials
  • process_credentials
  • instance_profile_credentials

@joohae-kim
Copy link
Contributor

joohae-kim commented Sep 21, 2021

I wonder if we can simply add a option variable for AWS_SESSION_TOKEN to use STS credentials
I can use session token with AWS_PROFILE options, but I have to update .aws/credential file almost every release
hence, I wish I can use the AWS_SESSION_TOKEN environmental variable

I touched up the code a little and it looks working fine for my case:
the Aws::Credentials.new() allows the session token for the third parameter, and the value is null by default

diff --git a/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb b/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
index 4a33e54..7f4f434 100644
--- a/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
+++ b/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
@@ -32,6 +32,7 @@ module Fastlane
         params[:release_notes] = config[:release_notes]
         params[:access_key] = config[:access_key]
         params[:secret_access_key] = config[:secret_access_key]
+        params[:aws_session_token] = config[:aws_session_token]
         params[:aws_profile] = config[:aws_profile]
         params[:bucket] = config[:bucket]
         params[:endpoint] = config[:endpoint]
@@ -65,6 +66,7 @@ module Fastlane
         s3_region = params[:region]
         s3_access_key = params[:access_key]
         s3_secret_access_key = params[:secret_access_key]
+        s3_session_token = params[:aws_session_token]
         s3_profile = params[:aws_profile]
         s3_bucket = params[:bucket]
         s3_endpoint = params[:endpoint]
@@ -89,7 +91,7 @@ module Fastlane
         client_cfg[:region] = s3_region if s3_region
         client_cfg[:endpoint] = s3_endpoint if s3_endpoint
         client_cfg[:profile] = s3_profile if s3_profile
-        client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key) if s3_access_key && s3_secret_access_key
+        client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key, s3_session_token) if s3_access_key && s3_secret_access_key

         s3_client = Aws::S3::Client.new(client_cfg)

@@ -736,6 +738,11 @@ module Fastlane
                                        description: "AWS Secret Access Key ",
                                        optional: true,
                                        default_value: ENV['AWS_SECRET_ACCESS_KEY']),
+          FastlaneCore::ConfigItem.new(key: :aws_session_token,
+                                       env_name: "S3_SESSION_TOKEN",
+                                       description: "AWS Session TOKEN ",
+                                       optional: true,
+                                       default_value: ENV['AWS_SESSION_TOKEN']),
           FastlaneCore::ConfigItem.new(key: :aws_profile,
                                        env_name: "S3_PROFILE",
                                        description: "AWS profile to use for credentials",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants