Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Refreshable Chained AWS Session for Multi-Account Role Assumption #69

Open
wants to merge 14 commits into
base: master
Choose a base branch
from

Conversation

rdeshmukh15
Copy link
Contributor

@rdeshmukh15 rdeshmukh15 commented Oct 24, 2024

Overview

This PR introduces functionality to establish a chained AWS session for multi-account role assumption, allowing the system to:

  1. Assume a role in a proxy account and use the resulting credentials.
  2. Use the proxy session to assume a secondary role in a customer account.
  3. Automatically refresh both sessions upon expiration using RefreshableCredentials to maintain seamless, uninterrupted access.

Context

Due to the requirement to perform operations in a customer account by first assuming a role in an intermediate (proxy) account, this chained session approach enables:

  • Session Reuse: Enables reusing a single session across AWS services.
  • Automatic Refreshing: Ensures that both sessions are refreshed as needed, avoiding disruptions during operations.

Implementation Details

  1. Primary Role Assumption (Proxy Account):

    • Utilizes AssumeRoleCredentialFetcher to assume a role in Proxy.
    • RefreshableCredentials is used to enable automatic refreshing on expiration.
    • This session is cached to avoid redundant calls and improve performance.
  2. Chained Role Assumption (Customer Account):

    • Leverages the proxy account session to assume a role in Customer.
    • A second AssumeRoleCredentialFetcher is set up with RefreshableCredentials to automatically refresh upon expiry.
  3. Default Session Setup for boto3:

    • Configures boto3 to use this chained session, so all AWS API calls automatically utilize the assumed roles without additional configuration.
    • Logs the current session expiration timestamp to verify that refreshing occurs as expected.

Example Usage

The setup function initializes the chained session, and subsequent boto3 clients can be created without additional steps. Here’s a usage example:

config = {
    'proxy_account_id': '123456789012',
    'proxy_role_name': 'ProxyRole',
    'account_id': '987654321098',
    'role_name': 'CustomerRole',
    'external_id': 'CustomerExternalID',
    'region': 'us-east-1'
}

setup_aws_client(config)
s3_client = boto3.client('s3')
# Use s3_client for S3 operations, with credentials refreshing automatically

Manual QA steps

Risks

Rollback steps

  • revert this branch

AI generated code

https://internal.qlik.dev/general/ways-of-working/code-reviews/#guidelines-for-ai-generated-code

  • this PR has been written with the help of GitHub Copilot or another generative AI tool

@sgandhi1311 sgandhi1311 changed the title proxy account AWS changes Implement Refreshable Chained AWS Session for Multi-Account Role Assumption Oct 30, 2024
@rdeshmukh15 rdeshmukh15 marked this pull request as ready for review November 29, 2024 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants