Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use AWS IAM role credentials #20

Closed
marek-obuchowicz opened this issue Jul 4, 2018 · 2 comments · Fixed by #31
Closed

Use AWS IAM role credentials #20

marek-obuchowicz opened this issue Jul 4, 2018 · 2 comments · Fixed by #31
Assignees
@mxhash

Comments

@marek-obuchowicz
Copy link

Use AWS IAM role credentials

Expected Behavior

If no AWS credentials are provided, module should use AWS IAM role attached to running instance for AWS API.

Current Behavior

Using "pre-generated" AWS API keys is against AWS security guidelines. They recommend using AWS IAM instance role policy to grant those privileges. At the moment most AWS client libraries support this, but this icinga module forces user to enter hardcoded secrets.

Possible Solution

Either add an option to select if IAM role should be used, or just fallback to IAM role if no credentials are configured (backward-compatible and convenient).

Context

We are having audit issues as this icinga module uses bad practices and requires to use static API credentials.
@thiagonache thiagonache mentioned this issue Jul 24, 2019
Closed
@thiagonache
Copy link

I'm sure you guys know that the code change is very simple:

diff --git a/library/Aws/AwsClient.php b/library/Aws/AwsClient.php
index 95549f3..9cb0b44 100644
--- a/library/Aws/AwsClient.php
+++ b/library/Aws/AwsClient.php
@@ -224,7 +224,6 @@ class AwsClient
     {
         $params = array(
             'region'  => $this->region,
-            'credentials' => $this->key->getCredentials(),
         );
 
         $config = Config::module('aws');

The problem is that WebUI requires a key in order to add the module... for testing, I've added fake key and applied code change above and everything work.

@thiagonache
Copy link

@Thomas-Gelf can you take a look, please? #28

@mxhash mxhash self-assigned this Aug 13, 2019
mxhash added a commit that referenced this issue Aug 13, 2019
@mxhash
Make IAM role credentials default
1fb6ffe 
fixes #20
@mxhash mxhash mentioned this issue Aug 13, 2019
Merged
@N-o-X N-o-X closed this as completed in #31 Aug 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mxhash mxhash

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make IAM role credentials default Icinga/icingaweb2-module-aws
3 participants
@marek-obuchowicz @mxhash @thiagonache