RAthena
RAthena copied to clipboard
Allow disabling role assumption when `AWS_ROLE_ARN` environment variable is set
Issue Description
The code for dbConnect()
checks if the AWS_ROLE_ARN
environment variable is set, and performs an explicit assume role operation if it is. To perform the assume role operation, it calls on Boto3. Boto3 also uses AWS_ROLE_ARN
to determine which role to assume, for example when using web identity authentication. This causes RAthena to try to assume role A from role A, which is always superfluous and often denied.
Reproducible Example
Set the AWS_ROLE_ARN
and AWS_WEB_IDENTITY_TOKEN_FILE
environment variables; Boto3 can now authenticate.
Assuming that AWS_ROLE_ARN
has value arn:aws:iam::123456789101:role/A
, call on dbConnect()
and get the exception:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789101:assumed-role/A/botocore-session-xxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::189756888801:role/A
If unsetting AWS_ROLE_ARN
, call on dbConnect()
and get the exception:
Warning: Error in py_call_impl: botocore.exceptions.InvalidConfigError: The provided profile or the current environment is configured to assume role with web identity but has no role ARN configured.
Proposed solution
Allow a value for the aws_role
parameter that does not trigger an assume role operation, even if AWS_ROLE_ARN
is set.
Ah sorry about that, i am currently on holiday and won't be able to do any work on this for 2 weeks. However in the meantime I am happy to receive any PRs.