Implement Refreshable Chained AWS Session for Multi-Account Role Assumption #69
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR introduces functionality to establish a chained AWS session for multi-account role assumption, allowing the system to:
proxy account
and use the resulting credentials.customer account
.RefreshableCredentials
to maintain seamless, uninterrupted access.Context
Due to the requirement to perform operations in a
customer account
by first assuming a role in an intermediate (proxy) account, this chained session approach enables:Implementation Details
Primary Role Assumption (Proxy Account):
AssumeRoleCredentialFetcher
to assume a role inProxy
.RefreshableCredentials
is used to enable automatic refreshing on expiration.Chained Role Assumption (Customer Account):
Customer
.AssumeRoleCredentialFetcher
is set up withRefreshableCredentials
to automatically refresh upon expiry.Default Session Setup for boto3:
boto3
to use this chained session, so all AWS API calls automatically utilize the assumed roles without additional configuration.Example Usage
The setup function initializes the chained session, and subsequent boto3 clients can be created without additional steps. Here’s a usage example:
Manual QA steps
Risks
Rollback steps
AI generated code
https://internal.qlik.dev/general/ways-of-working/code-reviews/#guidelines-for-ai-generated-code