Skip to content

Commit

Permalink
Merge pull request #48 from Icinga/iam-assume-role
Browse files Browse the repository at this point in the history 
Support IAM Assume Role as access method
  • Loading branch information
@lippserd
lippserd authored Jul 13, 2020
2 parents e9dd61f + af71178 commit c0a0ab9
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 4 deletions.
28 changes: 28 additions & 0 deletions library/Aws/AssumeRole.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<?php

namespace Icinga\Module\Aws;

class AssumeRole
{
protected $arn;

protected $session;

public static function create($arn, $session)
{
$assumeRole = new static();

$assumeRole->arn = $arn;
$assumeRole->session = $session;

return $assumeRole;
}

public function getParams()
{
return [
'RoleArn' => $this->arn,
'RoleSessionName' => $this->session
];
}
}
14 changes: 13 additions & 1 deletion library/Aws/AwsClient.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,11 @@
namespace Icinga\Module\Aws;

use Aws\Api\DateTimeResult;
use Aws\Credentials\AssumeRoleCredentialProvider;
use Aws\Credentials\CredentialProvider;
use Aws\Credentials\InstanceProfileProvider;
use Aws\Sdk;
use Aws\Sts\StsClient;
use Icinga\Application\Config;

class AwsClient
Expand All @@ -17,7 +21,7 @@ class AwsClient
*/
protected $sdk;

public function __construct(AwsKey $key = null, $region)
public function __construct($key = null, $region)
{
$this->region = $region;
$this->key = $key;
Expand Down Expand Up @@ -272,6 +276,14 @@ protected function initializeSdk()

if ($this->key instanceof AwsKey) {
$params['credentials'] = $this->key->getCredentials();
} else if ($this->key instanceof AssumeRole) {
$assumeRoleCredentials = new AssumeRoleCredentialProvider([
'client' => new StsClient($params + [
'credentials' => new InstanceProfileProvider()
]),
'assume_role_params' => $this->key->getParams()
]);
$params['credentials'] = CredentialProvider::memoize($assumeRoleCredentials);
}

$config = Config::module('aws');
Expand Down
24 changes: 21 additions & 3 deletions library/Aws/ProvidedHook/Director/ImportSource.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

namespace Icinga\Module\Aws\ProvidedHook\Director;

use Icinga\Module\Aws\AssumeRole;
use Icinga\Module\Director\Forms\ImportSourceForm;
use Icinga\Module\Director\Hook\ImportSourceHook;
use Icinga\Module\Director\Web\Form\QuickForm;
use Icinga\Module\Aws\AwsClient;
Expand All @@ -25,7 +27,11 @@ public function fetchData()
$key = null;

if ($keyName) {
$key = AwsKey::loadByName($keyName);
if ($keyName === 'IAM assume role') {
$key = AssumeRole::create($this->getSetting('iam_assume_role'), 'director');
} else {
$key = AwsKey::loadByName($keyName);
}
}

$client = new AwsClient($key, $this->getSetting('aws_region'));
Expand Down Expand Up @@ -158,15 +164,27 @@ public static function addSettingsFormFields(QuickForm $form)
'label' => 'AWS access method',
'required' => false,
'description' => $form->translate(
'Use IAM role credential or select your AWS key. This shows all keys from your keys.ini.'
'Use IAM role credential, assume role or select your AWS key.'
. ' This shows all keys from your keys.ini.'
. ' Please check the documentation if you miss the keys in the list.'
),
'multiOptions' => $form->optionalEnum(AwsKey::enumKeyNames(), $form->translate(
'multiOptions' => $form->optionalEnum(
AwsKey::enumKeyNames()
+ ['IAM assume role' => $form->translate('IAM assume role')],
$form->translate(
'IAM role credentials'
)),
'class' => 'autosubmit',
));

/** @var ImportSourceForm $form */
if ($form->getSentOrObjectSetting('aws_access_key') === 'IAM assume role') {
$form->addElement('text', 'iam_assume_role', [
'label' => 'Assume role',
'required' => true
]);
}

$form->addElement('select', 'object_type', array(
'label' => 'Object type',
'required' => true,
Expand Down

0 comments on commit c0a0ab9

Please sign in to comment.