Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Refreshable Chained AWS Session for Multi-Account Role Assumption #59

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Implement Refreshable Chained AWS Session for Multi-Account Role Assumption #59

wants to merge 2 commits into from

Conversation

sgandhi1311
Copy link
Member

@sgandhi1311 sgandhi1311 commented Oct 30, 2024
edited
Loading

Overview

This PR introduces functionality to establish a chained AWS session for multi-account role assumption, allowing the system to:

  1. Assume a role in a proxy account and use the resulting credentials.
  2. Use the proxy session to assume a secondary role in a customer account.
  3. Automatically refresh both sessions upon expiration using RefreshableCredentials to maintain seamless, uninterrupted access.

Context

Due to the requirement to perform operations in a customer account by first assuming a role in an intermediate (proxy) account, this chained session approach enables:

  • Session Reuse: Enables reusing a single session across AWS services.
  • Automatic Refreshing: Ensures that both sessions are refreshed as needed, avoiding disruptions during operations.

Implementation Details

  1. Primary Role Assumption (Proxy Account):

    • Utilizes AssumeRoleCredentialFetcher to assume a role in Proxy.
    • RefreshableCredentials is used to enable automatic refreshing on expiration.
    • This session is cached to avoid redundant calls and improve performance.

  2. Chained Role Assumption (Customer Account):

    • Leverages the proxy account session to assume a role in Customer.
    • A second AssumeRoleCredentialFetcher is set up with RefreshableCredentials to automatically refresh upon expiry.

  3. Default Session Setup for boto3:

    • Configures boto3 to use this chained session, so all AWS API calls automatically utilize the assumed roles without additional configuration.
    • Logs the current session expiration timestamp to verify that refreshing occurs as expected.

Example Usage

The setup function initializes the chained session, and subsequent boto3 clients can be created without additional steps. Here’s a usage example:

config = {
    'proxy_account_id': '123456789012',
    'proxy_role_name': 'ProxyRole',
    'account_id': '987654321098',
    'role_name': 'CustomerRole',
    'proxy_external_id': 'ProxyExternalID',
    'external_id': 'CustomerExternalID',
    'region': 'us-east-1'
}

setup_aws_client(config)
s3_client = boto3.client('s3')
# Use s3_client for S3 operations, with credentials refreshing automatically

@sgandhi1311 sgandhi1311 changed the title setup token chain using the AWS proxy account Implement Refreshable Chained AWS Session for Multi-Account Role Assumption Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sgandhi1311