Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[request]: Get temporary cloud credentials locally through Conveyor #69

Open
din14970 opened this issue Oct 13, 2023 · 0 comments
Open

[request]: Get temporary cloud credentials locally through Conveyor #69

din14970 opened this issue Oct 13, 2023 · 0 comments
Labels
proposed Community submitted issue

Comments

@din14970
Copy link

din14970 commented Oct 13, 2023
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
It would be nice if the conveyor CLI could be used to request temporary access credentials to access cloud resources locally.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We want to store data on an AWS S3 data lake. For the moment, Conveyor will only be used for a subset of compute jobs. Therefore, we need to be able to access the data lake on other systems, e.g. locally or on-prem compute clusters.

For access control on the data lake, we would like to implement something PBAC-like, i.e. users request credentials for a role that maps onto a conveyor (project - environment) combination. However, users should only be able to request roles of projects and environments to which they can contribute. It is not easy to impose this restriction unless the credentials would be handed out by conveyor, since conveyor knows which users have access to which project and environment, and can be configured to get access to corresponding IAM roles.

Are you currently working around this issue?
We have a relatively complex AWS set-up with Azure AD as IDP. Currently we use the aws-azure-login CLI tool to log in, then change role to get local credentials. However, in this way we can not restrict which roles can be assumed by which users. We can configure the roles such that only conveyor can assume them, but then we no longer have local access.

Our current workaround is to simply create users for each role with identical permissions and then use the long-lived acces and secret key. However this is potentially insecure as we will have to manually distribute credentials.

Additional context
It would be ideal if the ability to request local credentials is configurable on environment and/or project level. For example, we may not want people to be able to request local credentials for production, even if they are able to deploy there.

Attachments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
proposed Community submitted issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@din14970