Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow passing a roleArn and externalId when using ENV #163

Open
wants to merge 2 commits into
base: alpha
Choose a base branch
from

Conversation

rbclark
Copy link

@rbclark rbclark commented Sep 25, 2023

Changes/solution

I currently have a situation where I am using AWS built in metadata to scan across multiple environments. In this situation I need to assume a cross account role in order to scan the account. This small change allows this to happen.

Testing

I ran this locally both with and without the role assigned and received different results.

Dependencies

N/A

@rbclark rbclark force-pushed the add-assume-role-to-env branch from 8546b6e to fb838b2 Compare September 25, 2023 20:23
@tyler-dunkel
Copy link
Contributor

Thanks for the PR! Can you open this against our alpha branch so it can go through our release process?

@rbclark rbclark changed the base branch from main to alpha September 25, 2023 20:33
@rbclark rbclark force-pushed the add-assume-role-to-env branch from fb838b2 to cd1ebb8 Compare September 26, 2023 14:04
@tyler-dunkel
Copy link
Contributor

@m-pizarro please take a look at this one as well.

@tyler-dunkel
Copy link
Contributor

@rbclark sorry we took so long to take a look at this. I think this is ok to merge after the conflicts are resolved if you still need this functionality.

@m-pizarro
Copy link
Contributor

@rbclark sorry we took so long to take a look at this. I think this is ok to merge after the conflicts are resolved if you still need this functionality.

@tyler-dunkel I just had the chance to test it. It works well for me.

@rbclark
Copy link
Author

rbclark commented Nov 27, 2023

@tyler-dunkel I've gone ahead and rebased this so it should be ready to go.

It turns out my use case ended up being slightly more complicated so I have a patched version that I am running. The issue I ran into is that my scanner runs on ECS instead of EC2. In order to fetch the credentials I need I've had to do the following. If you don't have objections I could go ahead and put up a PR to support this use case as well?

const metadataCredentials = new AWS.ECSCredentials();

metadataCredentials.get(async (err: any) => {
  if (err) {
    this.logger.error('Failed to retrieve credentials from container metadata.');
    this.logger.debug(err);
    return rejectConfig(err);
  }

  const baseCredentials = {
    accessKeyId: metadataCredentials.accessKeyId,
    secretAccessKey: metadataCredentials.secretAccessKey,
    sessionToken: metadataCredentials.sessionToken,
  };

  const sts = new AWS.STS({ credentials: baseCredentials });
  const assumeRoleOptions = {
    RoleSessionName: 'CloudGraph',
    RoleArn: role,
    ...(externalId && { ExternalId: externalId }),
  };

  sts.assumeRole(assumeRoleOptions, (err, data) => {
    if (err) {
      this.logger.error(`Failed to assume role using ARN: ${role}`);
      this.logger.debug(err);
      return rejectConfig(err);
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants