ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

provider/aws: Add support for policy to AWS provider assume_role (#11501) 

Fixes: #11461

This will allow the user to pass a policy to further restrict the use
of AssumeRole. It is important to note that it will NOT allow an
expansion of access rights
This commit is contained in:
Paul Stack 2017-01-29 20:32:24 +00:00 committed by GitHub
parent c01680b7a9
commit 4ebd207803
4 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
builtin/providers/aws/auth_helpers.go
View File

@ -146,8 +146,8 @@ func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
// Otherwise we need to construct and STS client with the main credentials, and verify // Otherwise we need to construct and STS client with the main credentials, and verify
// that we can assume the defined role. // that we can assume the defined role.
log.Printf("[INFO] Attempting to AssumeRole %s (SessionName: %q, ExternalId: %q)", log.Printf("[INFO] Attempting to AssumeRole %s (SessionName: %q, ExternalId: %q, Policy: %q)",
c.AssumeRoleARN, c.AssumeRoleSessionName, c.AssumeRoleExternalID) c.AssumeRoleARN, c.AssumeRoleSessionName, c.AssumeRoleExternalID, c.AssumeRolePolicy)
creds := awsCredentials.NewChainCredentials(providers) creds := awsCredentials.NewChainCredentials(providers)
cp, err := creds.Get() cp, err := creds.Get()
@ -182,6 +182,9 @@ func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
if c.AssumeRoleExternalID != "" { if c.AssumeRoleExternalID != "" {
assumeRoleProvider.ExternalID = aws.String(c.AssumeRoleExternalID) assumeRoleProvider.ExternalID = aws.String(c.AssumeRoleExternalID)
} }
if c.AssumeRolePolicy != "" {
assumeRoleProvider.Policy = aws.String(c.AssumeRolePolicy)
}
providers = []awsCredentials.Provider{assumeRoleProvider} providers = []awsCredentials.Provider{assumeRoleProvider}

1
builtin/providers/aws/config.go
View File

@ -79,6 +79,7 @@ type Config struct {
AssumeRoleARN string AssumeRoleARN string
AssumeRoleExternalID string AssumeRoleExternalID string
AssumeRoleSessionName string AssumeRoleSessionName string
AssumeRolePolicy string
AllowedAccountIds []interface{} AllowedAccountIds []interface{}
ForbiddenAccountIds []interface{} ForbiddenAccountIds []interface{}

20
builtin/providers/aws/provider.go
View File

@ -471,6 +471,10 @@ func init() {
"assume_role_external_id": "The external ID to use when assuming the role. If omitted," + "assume_role_external_id": "The external ID to use when assuming the role. If omitted," +
" no external ID is passed to the AssumeRole call.", " no external ID is passed to the AssumeRole call.",
"assume_role_policy": "The permissions applied when assuming a role. You cannot use," +
" this policy to grant further permissions that are in excess to those of the, " +
" role that is being assumed.",
} }
} }
@ -499,8 +503,13 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
config.AssumeRoleARN = assumeRole["role_arn"].(string) config.AssumeRoleARN = assumeRole["role_arn"].(string)
config.AssumeRoleSessionName = assumeRole["session_name"].(string) config.AssumeRoleSessionName = assumeRole["session_name"].(string)
config.AssumeRoleExternalID = assumeRole["external_id"].(string) config.AssumeRoleExternalID = assumeRole["external_id"].(string)
log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q)",
config.AssumeRoleARN, config.AssumeRoleSessionName, config.AssumeRoleExternalID) if v := assumeRole["policy"].(string); v != "" {
config.AssumeRolePolicy = v
}
log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q, Policy: %q)",
config.AssumeRoleARN, config.AssumeRoleSessionName, config.AssumeRoleExternalID, config.AssumeRolePolicy)
} else { } else {
log.Printf("[INFO] No assume_role block read from configuration") log.Printf("[INFO] No assume_role block read from configuration")
} }
@ -553,6 +562,12 @@ func assumeRoleSchema() *schema.Schema {
Optional: true, Optional: true,
Description: descriptions["assume_role_external_id"], Description: descriptions["assume_role_external_id"],
}, },
"policy": {
Type: schema.TypeString,
Optional: true,
Description: descriptions["assume_role_policy"],
},
}, },
}, },
Set: assumeRoleToHash, Set: assumeRoleToHash,
@ -565,6 +580,7 @@ func assumeRoleToHash(v interface{}) int {
buf.WriteString(fmt.Sprintf("%s-", m["role_arn"].(string))) buf.WriteString(fmt.Sprintf("%s-", m["role_arn"].(string)))
buf.WriteString(fmt.Sprintf("%s-", m["session_name"].(string))) buf.WriteString(fmt.Sprintf("%s-", m["session_name"].(string)))
buf.WriteString(fmt.Sprintf("%s-", m["external_id"].(string))) buf.WriteString(fmt.Sprintf("%s-", m["external_id"].(string)))
buf.WriteString(fmt.Sprintf("%s-", m["policy"].(string)))
return hashcode.String(buf.String()) return hashcode.String(buf.String())
} }

5
website/source/docs/providers/aws/index.html.markdown
View File

@ -231,6 +231,11 @@ The nested `assume_role` block supports the following:
* `external_id` - (Optional) The external ID to use when making the * `external_id` - (Optional) The external ID to use when making the
AssumeRole call. AssumeRole call.
* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials.
This gives you a way to further restrict the permissions for the resulting temporary
security credentials. You cannot use the passed policy to grant permissions that are
in excess of those allowed by the access policy of the role that is being assumed.
Nested `endpoints` block supports the following: Nested `endpoints` block supports the following:
* `iam` - (Optional) Use this to override the default endpoint * `iam` - (Optional) Use this to override the default endpoint