leapp
leapp copied to clipboard
Noovolari
Maintain IAM Role Chained Configurations based on SSO Assumer session
Is your feature request related to a problem? Please describe. We use SSO for our AWS organization (MSP), within this SSO organization we created AWS accounts as "service accounts". These service accounts are directly synced via the SSO integration with Leapp.
The service accounts have a trust with our customers own AWS-accounts via a Cross Account Sign-in role. We use the IAM Role Chained setup with an assumer session from one of our AWS Service Accounts.
Each time the SSO session is expired or synced, the configured sessions via the IAM Role Chained - assumer session are removed. Probably due to a link between these chained session configuration and the sso
Describe the solution you'd like Don't remove the IAM Role Chained based on SSO accounts
Describe alternatives you've considered
Additional context
Thanks for reporting @cornevandersteen , we've actually fixed this bug but it's not yet released! I'll leave it open until the new release come out.
Oh, so I'm not sure if I just ran into this in 0.10.0, or if I hit a separate issue. But I created a chained role from an AWS SSO session, and then logged out of the AWS SSO integration, and the chained role session was deleted. And after logging back in, the chained role session was not restored! That is a little painful, if we have to recreate every chained role session every time!
Well, we solved #108 which is a bit different issue; the linked issue was related to the validity of the AWS SSO access token, not the AWS SSO Integration logout behavior. We've to fix this behavior by separating the concept of logout from the concept of deleting an Integration. @andreacavagna01 this issue has still to be considered open
This is solved now with v.0.16.0. I can close the issue now, feel free to re-open the issue if the problem persists