-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow passing a roleArn and externalId when using ENV #163
base: alpha
Are you sure you want to change the base?
Conversation
8546b6e
to
fb838b2
Compare
Thanks for the PR! Can you open this against our |
fb838b2
to
cd1ebb8
Compare
@m-pizarro please take a look at this one as well. |
@rbclark sorry we took so long to take a look at this. I think this is ok to merge after the conflicts are resolved if you still need this functionality. |
@tyler-dunkel I just had the chance to test it. It works well for me. |
@tyler-dunkel I've gone ahead and rebased this so it should be ready to go. It turns out my use case ended up being slightly more complicated so I have a patched version that I am running. The issue I ran into is that my scanner runs on ECS instead of EC2. In order to fetch the credentials I need I've had to do the following. If you don't have objections I could go ahead and put up a PR to support this use case as well? const metadataCredentials = new AWS.ECSCredentials();
metadataCredentials.get(async (err: any) => {
if (err) {
this.logger.error('Failed to retrieve credentials from container metadata.');
this.logger.debug(err);
return rejectConfig(err);
}
const baseCredentials = {
accessKeyId: metadataCredentials.accessKeyId,
secretAccessKey: metadataCredentials.secretAccessKey,
sessionToken: metadataCredentials.sessionToken,
};
const sts = new AWS.STS({ credentials: baseCredentials });
const assumeRoleOptions = {
RoleSessionName: 'CloudGraph',
RoleArn: role,
...(externalId && { ExternalId: externalId }),
};
sts.assumeRole(assumeRoleOptions, (err, data) => {
if (err) {
this.logger.error(`Failed to assume role using ARN: ${role}`);
this.logger.debug(err);
return rejectConfig(err);
} |
Changes/solution
I currently have a situation where I am using AWS built in metadata to scan across multiple environments. In this situation I need to assume a cross account role in order to scan the account. This small change allows this to happen.
Testing
I ran this locally both with and without the role assigned and received different results.
Dependencies
N/A