aws-sdk-go icon indicating copy to clipboard operation
aws-sdk-go copied to clipboard
verified publisher icon aws

Support AWS_ROLE_ARN Environment Variable with Environment Credential Provider

Open bflad opened this issue 6 years ago • 4 comments

Feature description

The AWS_ROLE_ARN environment variable was recently added with the introduction of the web identity credential provider. It would be great if the AWS_ROLE_ARN environment variable could also be used with the environment credential provider. This allows environments where disk access is not available or read-only to assume a role without a shared configuration file.

An example workflow, given the following environment:

AWS_ACCESS_KEY_ID=AK...
AWS_SECRET_ACCESS_KEY=...
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/example

The environment credential provider would use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials to assume the given AWS_ROLE_ARN.

Describe alternatives you've considered

Creating our own application-specific environment variable(s) (e.g. AWS_ROLE_ARN or TF_AWS_ROLE_ARN) to trigger assuming a role automatically, at the risk of:

  • Naming collisions and logic issues if within AWS_ namespace and default AWS Go SDK behavior
  • Maintaining our own environment variables which do not benefit the larger AWS SDK/CLI ecosystem
  • Longterm code deprecation and user burden of switching off our own environment variables if/when properly implemented in the AWS Go SDK

Additional context

References:

  • https://github.com/aws/aws-sdk-go/pull/2667
  • https://github.com/aws/aws-sdk-go/pull/2667/files#r299696333
  • https://github.com/hashicorp/terraform/pull/21718
  • https://github.com/terraform-providers/terraform-provider-aws/pull/8985
  • https://github.com/terraform-providers/terraform-provider-aws/pull/9208

bflad avatar Aug 29 '19 12:08 bflad

It seems like it would make sense to include AWS_ROLE_SESSION_NAME along with this as well.

jakauppila avatar Sep 17 '19 16:09 jakauppila

👍 to making AssumeRole more transparent. I'd love to be able to tell my app developers "just use this credential provider class" and then give me the ability to fully determine what identity their code runs as, and how it obtains that identity, entirely by setting environment variables.

ashafer01 avatar Nov 13 '19 16:11 ashafer01

Any update with this? This functionality would be very useful in deployed envs i.e. k8s to be able to start sessions for specific profiles in code without needing to use a filesystem (for the shared config file).

mdross95 avatar Sep 18 '20 10:09 mdross95

This would definitely make my pipelines easier as with a lot of them I have to download the cli to then assume a role to then use with a deploy utility. Making this available would remove the need for us to assume a role with packages that use the SDK internally to manage credentials.

lmmattr avatar Oct 19 '20 14:10 lmmattr