Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CLI supports assuming a different role locally via --assume-role-arn
See original GitHub issueTo add a new command line flag --assume-role-arn [role-arn] which will assume the given role locally before executing any commands.
This should be semantically equivalent to setting the following configuration when using the aws-sdk:
AWS.config.credentials = new AWS.ChainableTemporaryCredentials({
params: {RoleArn: '...'}
});
It would be expected to work with all variations of --ec2creds.
Use Case
Sometimes the current credentials are not enough to execute CDK. This is different from --role-arn which happens on ChangeSet execution. However CDK needs to do things before that (e.g. uploading assets).
This is also supported by the aws-cli via profiles, which proves the use case. However working with cli profiles from the JavaScript world is painful (even though support got better) and is more complicated to automate in CI/CD environments.
Terraform has a similar option: https://www.terraform.io/docs/providers/aws/index.html#assume_role
Proposed Solution
See above. We need a new cli flag. Somewhere in aws-auth the value would need to be passed in to ChainableTemporaryCredentials which would be used to configure the SDK.
- [x ] 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:6
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
For anyone else trying to plug CDK into an automated build environment, here’s my solution:
It requires the standard
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYto be defined for the initial sts call.I cannot speak for CodeBuild, as we are using Jenkins running on an EC2. I can only assume there would be a similar use case to the one we have. In any case, apparently it was warranted that @rix0rrr included the quoted section into the linked master issue.
For Jenkins/EC2 the issue is that agent instances run on a single shared EC2 with a single shared instance role. In order to maintain least privilege permissions, we have each stage of every Job assume permissions appropriate to what the stage is doing. This could be assuming a role on AWS to deploy (multiple) CDK stacks or upload a file to S3, but also credentials to install private npm packages. Again, I’m not actively using CodeBuild, but this might be equivalent to different CodeBuild phases requiring different roles.