Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Cross-account STS role assumption for agents deployed in a central account #320

danievanzyl started this conversation in General
Discussion options

Hello 👋🏻

Our topology:

  • Formae agent runs in a Core account (Bastion VPC)
  • Agent manages resources in spoke accounts (one agent per spoke account)
  • Spoke accounts have dedicated IAM roles with trust policies back to the Core account agent role

The problem:
When the agent applies/discovers against a target, it uses the Core account's credentials (the agent's own IAM role) instead of assuming a role into the spoke account. Our target configs currently only specify region in aws.Config — there's no field to provide a cross-account role ARN or account ID.

Questions:

  1. Does aws.Config support an assumeRole or roleArn field to tell the agent to sts:AssumeRole into a spoke account before making API calls?
  2. If not natively supported, what's the recommended pattern for cross-account agent deployments? Should we run one agent per account (in each spoke) instead of centralising in Core?
  3. If cross-account assume-role is supported, do we also need to provide externalId in the config for confused-deputy protection?
  4. Is there a way to scope the agent's assumed session per-target (e.g., different roles for prod vs staging within the same spoke account)?

What we expect the config to look like:

 config = new aws.Config {
 region = "eu-west-1"
 accountId = "SPOKE_ACCOUNT_ID"
 assumeRole = new aws.AssumeRole {
 roleArn = "arn:aws:iam::SPOKE_ACCOUNT_ID:role/formae-target-role-prod"
 externalId = "formae-ritdu-pe"
 }
 }

Thanks!
Danie
You must be logged in to vote

Replies: 2 comments

Comment options

1.) No, but we plan to support this, soon.
2.) Currently you may specify credential by named profile, or via the aws environment variables.
3.) We will consider this when exposing the assume role configuration.
4.) The only way to do this at the moment is via named profile usage in the configuration per target.

I will look into this and see how quickly we can support the configuration.
You must be logged in to vote
0 replies
Comment options

For the time being actually specifying the role binding via the credentials config may work and referencing that in the target config via the profile.

[profile cross-account-role]
role_arn = arn:aws:iam::123456789012:role/MyAssumedRole
source_profile = default
region = us-east-1

Definitely a hack and we will simply expose the config.
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /