diff --git a/library/Aws/AssumeRole.php b/library/Aws/AssumeRole.php new file mode 100644 index 0000000..c5bed90 --- /dev/null +++ b/library/Aws/AssumeRole.php @@ -0,0 +1,28 @@ +arn = $arn; + $assumeRole->session = $session; + + return $assumeRole; + } + + public function getParams() + { + return [ + 'RoleArn' => $this->arn, + 'RoleSessionName' => $this->session + ]; + } +} diff --git a/library/Aws/AwsClient.php b/library/Aws/AwsClient.php index c9c191a..7860d91 100644 --- a/library/Aws/AwsClient.php +++ b/library/Aws/AwsClient.php @@ -3,7 +3,11 @@ namespace Icinga\Module\Aws; use Aws\Api\DateTimeResult; +use Aws\Credentials\AssumeRoleCredentialProvider; +use Aws\Credentials\CredentialProvider; +use Aws\Credentials\InstanceProfileProvider; use Aws\Sdk; +use Aws\Sts\StsClient; use Icinga\Application\Config; class AwsClient @@ -17,7 +21,7 @@ class AwsClient */ protected $sdk; - public function __construct(AwsKey $key = null, $region) + public function __construct($key = null, $region) { $this->region = $region; $this->key = $key; @@ -265,6 +269,14 @@ protected function initializeSdk() if ($this->key instanceof AwsKey) { $params['credentials'] = $this->key->getCredentials(); + } else if ($this->key instanceof AssumeRole) { + $assumeRoleCredentials = new AssumeRoleCredentialProvider([ + 'client' => new StsClient($params + [ + 'credentials' => new InstanceProfileProvider() + ]), + 'assume_role_params' => $this->key->getParams() + ]); + $params['credentials'] = CredentialProvider::memoize($assumeRoleCredentials); } $config = Config::module('aws'); diff --git a/library/Aws/ProvidedHook/Director/ImportSource.php b/library/Aws/ProvidedHook/Director/ImportSource.php index e5c3b0d..db30d92 100644 --- a/library/Aws/ProvidedHook/Director/ImportSource.php +++ b/library/Aws/ProvidedHook/Director/ImportSource.php @@ -2,6 +2,8 @@ namespace Icinga\Module\Aws\ProvidedHook\Director; +use Icinga\Module\Aws\AssumeRole; +use Icinga\Module\Director\Forms\ImportSourceForm; use Icinga\Module\Director\Hook\ImportSourceHook; use Icinga\Module\Director\Web\Form\QuickForm; use Icinga\Module\Aws\AwsClient; @@ -25,7 +27,11 @@ public function fetchData() $key = null; if ($keyName) { - $key = AwsKey::loadByName($keyName); + if ($keyName === 'IAM assume role') { + $key = AssumeRole::create($this->getSetting('iam_assume_role'), 'director'); + } else { + $key = AwsKey::loadByName($keyName); + } } $client = new AwsClient($key, $this->getSetting('aws_region')); @@ -158,15 +164,27 @@ public static function addSettingsFormFields(QuickForm $form) 'label' => 'AWS access method', 'required' => false, 'description' => $form->translate( - 'Use IAM role credential or select your AWS key. This shows all keys from your keys.ini.' + 'Use IAM role credential, assume role or select your AWS key.' + . ' This shows all keys from your keys.ini.' . ' Please check the documentation if you miss the keys in the list.' ), - 'multiOptions' => $form->optionalEnum(AwsKey::enumKeyNames(), $form->translate( + 'multiOptions' => $form->optionalEnum( + AwsKey::enumKeyNames() + + ['IAM assume role' => $form->translate('IAM assume role')], + $form->translate( 'IAM role credentials' )), 'class' => 'autosubmit', )); + /** @var ImportSourceForm $form */ + if ($form->getSentOrObjectSetting('aws_access_key') === 'IAM assume role') { + $form->addElement('text', 'iam_assume_role', [ + 'label' => 'Assume role', + 'required' => true + ]); + } + $form->addElement('select', 'object_type', array( 'label' => 'Object type', 'required' => true,