Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for sts assume #213

Open
dochost opened this issue Dec 11, 2022 · 6 comments
Open

Add support for sts assume #213

dochost opened this issue Dec 11, 2022 · 6 comments

Comments

@dochost
Copy link

dochost commented Dec 11, 2022

Please add support for STS Assume role

@jpculp
Copy link
Contributor

jpculp commented Dec 13, 2022

Hi @dochost, typically you would assume the role before calling coldsnap. Do you have a use-case that calls for something different?

@dochost
Copy link
Author

dochost commented Dec 13, 2022

Hi @jpculp the use-case is
snapshots located in account 'a' but the authenticated users is from account 'b' and the only way to gain access account 'a' is to utilize assume-role -> download snapshot, and then upload the snapshots to account 'c'

to do this programmatically there is a need to use the --profile switch so adding an option to include assume-role would be extremely beneficial

@adamnovak
Copy link

adamnovak commented Jan 6, 2025

The workaround here is:

  1. Make sure you have a named profile with the config and credentials for the account you are assuming from.
  2. Run aws sts assume-role --profile XXXXX --role-arn arn:aws:iam::XXXXX:role/XXXXX --role-session-name coldsnap --serial-number arn:aws:iam::XXXXX:mfa/XXXXX --token-code XXXXXX
  3. Grab the values out of the JSON and export them all into environment variables.
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_DEFAULT_REGION=
export AWS_SESSION_TOKEN=
  1. Actually use Coldsnap with the assumed role.

@bcressey
Copy link
Contributor

bcressey commented Jan 9, 2025

What ought to work is something like this:

[profile bcressey]
region = us-west-2

[profile bcressey-test]
role_arn = ...
source_profile = bcressey

But this results in an error:

Failed to download snapshot: Failed to list snapshot blocks 'snap-...': dispatch failure: other: an error occurred while loading credentials

@bcressey
Copy link
Contributor

bcressey commented Jan 9, 2025

At a wild guess, we probably need a similar fix to this one:
awslabs/tough#670

@bcressey
Copy link
Contributor

bcressey commented Jan 9, 2025

@adamnovak if it were possible to set up ~/.aws/config with the chain of role assumptions (like in my example above) would that meet your needs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants