Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STS AssumeRole Session Tags implementation #685

Merged
merged 3 commits into from
Mar 18, 2021
Merged

STS AssumeRole Session Tags implementation #685

merged 3 commits into from
Mar 18, 2021

Conversation

stanvit
Copy link
Contributor

@stanvit stanvit commented Nov 4, 2020

This PR is trying to resolve #684 and implements the way to set Session Tags and Transitive Session Tags when AssumeRole() provider is used.

  • Two new profile configuration parameters are introduced: session_tags and transitive_session_tags
  • Two new environment variables are introduced: AWS_SESSION_TAGS and AWS_TRANSITIVE_TAGS

It is possible to configure each profile in the chain individually, as well as the target profile with environment variables.

mtibben
mtibben reviewed Nov 11, 2020
View reviewed changes
vault/config.go Outdated
if transitiveSessionTags := psection.TransitiveSessionTags; transitiveSessionTags != "" && len(config.TransitiveSessionTags) == 0 {
for _, tag := range strings.Split(transitiveSessionTags, ",") {
config.TransitiveSessionTags = append(config.TransitiveSessionTags, strings.TrimSpace(tag))
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you split this logic out into it's own function?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please check the latest change, I created a couple of setters for vault.Config that parse string into the corresponding map and slice.

I'm not 100% confident that it's the best approach - it's "economical", but kind of moves parsing away from vault.ProfileSection to vault.Config. Please tell me your thoughts on that.

mtibben
mtibben reviewed Nov 11, 2020
View reviewed changes
vault/config.go
profile.TransitiveSessionTags = append(profile.TransitiveSessionTags, strings.TrimSpace(tag))
}
log.Printf("Using transitive_session_tags %v from AWS_TRANSITIVE_TAGS", profile.TransitiveSessionTags)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably shares some logic with this?

@christophetd
Copy link
Contributor

@stanvit Thanks a lot for the PR, this is definitely needed, looking forward to seeing this merged 🎉

@stanvit stanvit requested a review from mtibben November 30, 2020 09:13
@dmccaffery
Copy link

@mtibben : anything required to get this PR merged -- I am happy to chip in with any updates.

@mtibben mtibben merged commit 4270224 into 99designs:master Mar 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtibben mtibben Awaiting requested review from mtibben

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature: add support for STS Session Tags when assuming roles
4 participants
@stanvit @christophetd @dmccaffery @mtibben