Add support for STS-issued AWS Credentials #4603
Conversation
|
@tariqajyusuf is attempting to deploy a commit to the Ethyca Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
thanks so much for this contribution, this change looks great @tariqajyusuf! appreciate all the diligence in getting this supported throughout the stack, from the CLI to the UI. i was able to test manually with some of our internal AWS accounts and things work great with temporary credentials, as well as with permanent credentials (i.e. no regressions).
i left one UI nitpick that you can feel free to ignore, i'll leave it up to your discretion! the other piece of this is that we'll want to get automated test coverage for this new functionality in place, but that's not really something you're able to do outside of our org (since the GH actions will require our GH secrets, etc.). so i went ahead and filed a follow up ticket for myself to add that test coverage in (#4607) - it should be a relatively straightforward update.
thanks again for being proactive and thoughtful in contributing this improvement to our codebase/product, we really appreciate it! 🙏
| "--session_token", | ||
| type=str, | ||
| default="", | ||
| help="Connect to AWS using a temporary `Access Key`. _Requires options `--access_key_id`, `--secret_access_key`, `--session_token`, & `--region`._", |
There was a problem hiding this comment.
thank you for the diligent documentation here, this leads to a clear user experience!
clients/admin-ui/src/features/config-wizard/AuthenticateAwsForm.tsx
Outdated
Show resolved
Hide resolved
| @@ -330,6 +331,7 @@ def handle_aws_credentials_options( | |||
| aws_config = AWSConfig( | |||
| aws_access_key_id=access_key_id, | |||
| aws_secret_access_key=secret_access_key, | |||
| aws_session_token=session_token, | |||
There was a problem hiding this comment.
interesting, so this seems to still work even when passed through as None - seems like the boto3 client instantiation just ignores any kwargs with None values in its constructor, as that's what is going to happen downstream at https://github.com/ethyca/fides/blob/main/src/fides/connectors/aws.py#L23-L33
service_client = boto3.client(
service,
**config_dict,
)nothing to change here since it all works as we want and boto3 is pretty defensive, just thought it was noteworthy behavior!
There was a problem hiding this comment.
Yeah I was watching for this to have some issues as I've experienced that with a few other AWS SDKs but it seems that it does a pretty good job at checking here.
…m.tsx Add `isRequired` flags Co-authored-by: Adam Sachs <[email protected]>
Include environment parameters for changes added in ethyca/fides#4603
Closes #4596
Description Of Changes
This change adds an option to pass
session_tokento the CLI, UI, or API when using the system discovery feature for AWS. Long-term credentials only require anaccess_key_idandsecret_access_key. As it stands today, this means that long-term credentials have to be created to use any system discovery. By adding an option to usesession_tokens, we now allow for temporary credentials that can reflect the principle of least access.Code Changes
aws_session_token--session_tokenas an optional argument tofides generateandfides scanSteps to Confirm
After setting up the dev environment
aws sts assume-role ...)access_key_idandsecret_access_key, this should fail.session_tokenargument, this should pass.Pre-Merge Checklist
CHANGELOG.md