Specify --role-arn multiple times for cross-account functionality #63
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Suppose you have a multiple accounts with AWS Organizations deployed. You might have a Security OU with a Security account, and you might have many workload accounts. Suppose you also have various on-prem hosts that need to assume roles in the workload accounts.
Ideal scenario
In the ideal scenario, there is 1 AWS account, managed by the information security team, that contains the trust anchor(s) and Roles Anywhere profiles.
Why you couldn't have the ideal scenario
The signing tool and/or IAM/STS in general do not allow cross-account pass role. So you can not create a Roles Anywhere profile for a role ARN in another account, nor can you pass a
--profile-arn
and--role-arn
to theaws_signing_helper
if those two ARNs are in different AWS accounts, as this will result in across-account pass role is not allowed
error.Not ideal scenario, but it works
Because the ideal scenario couldn't be had, the trust anchor and profiles have to exist in each workload account. This is cumbersome for a security team to maintain at scale.
What this pull request does
Perhaps it easier to explain with code examples
before
You can only use the
aws_signing_helper
to get credentials for one role ARN.after
You can specify
--role_arn
over and over again. The first--role-arn
is used to retrieve credentials from Roles Anywhere. Subsequent--role-arn
arguments pass those credentials tosts:AssumeRole
to assume the next role.bigger example
You can specify
--role_arn
over and over again, and you can override the defaultsts:AssumeRole role-session-name
ofmy-session
Summary
--role-arn
one time, then the credential helper works as it always did--role-arn
more than once, then the credential helper works as it always did for the first--role-arn
, then it doessts:Assume
role for the subsequent--role-arn
arguments