gordon icon indicating copy to clipboard operation
gordon copied to clipboard

Published 20 hours ago verified publisher icon jorgebastida

Option to use existing IAM roles instead of dynamically creating roles

Open mparaz opened this issue 8 years ago • 4 comments

I would like the option of the CloudFormation template to make use of existing IAM roles, instead of dynamically creating them.

One scenario is when the user running Gordon, or manually creating the CloudFormation stack, does not have IAM privileges.

mparaz avatar Nov 17 '16 02:11 mparaz

I've done this with role

https://gordon.readthedocs.io/en/latest/lambdas.html#role

Does that work for you?

ahl avatar Dec 16 '16 01:12 ahl

Even when providing the ARN I still get en exception from it attempting to call iam:list_users. I'm doing this from a federated account that does not have IAM access.

My settings.yml

lambdas:
  helloworld:
    code: helloworld
    handler: code.handler
    runtime: nodejs4.3
    role: arn:aws:iam::#######:role/acct-managed/Lambda-Deploy

Running apply:

Applying project...
Traceback (most recent call last):
  File "/usr/bin/gordon", line 11, in <module>
    load_entry_point('gordon==0.5.0', 'console_scripts', 'gordon')()
  File "/usr/lib/python2.7/site-packages/gordon/bin.py", line 109, in main
    getattr(obj, options.func)()
  File "/usr/lib/python2.7/site-packages/gordon/core.py", line 426, in apply
    context.update(self.collect_parameters())
  File "/usr/lib/python2.7/site-packages/gordon/core.py", line 459, in collect_parameters
    aws_account_id = boto3.client('iam').list_users(MaxItems=1)['Users'][0]['Arn'].split(':')[4]
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 543, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the ListUsers operation: The security token included in the request is invalid.

brianantonelli avatar Mar 09 '17 15:03 brianantonelli

Looks like what Gordon really cares about is the account id. We can just add that as an config var: https://github.com/jorgebastida/gordon/blob/c9b83eaf9332d6694212ca9eb65a2ec6338e71f0/gordon/core.py#L454

kerryhatcher avatar Mar 09 '17 16:03 kerryhatcher

Next issue is that gordon.contrib.lambdas had a policy defined, so even if you have a role configured for your application, gordon still tries to create one for the contrib function.

See: https://github.com/jorgebastida/gordon/blob/master/gordon/contrib/lambdas/settings.yml#L11 https://gordon.readthedocs.io/en/latest/contrib.html

kerryhatcher avatar Mar 09 '17 17:03 kerryhatcher