-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support aws auth with already set environment variables #99
Comments
Hello @consideRatio! One of the things I've wanted to do is to keep the deployment repository 'self-contained' - that all you need to deploy is the decryption key (sops or otherwise), and all other credentials are inside. This way, you can control access via the KMS key (or git-crypt key elsewhere), without having to give users individual access. By setting up the role arn, you can also give the deployed user the minimum required privileges, and rotate that as needed without relying on external factors like env keys setup. I hope this makes sense? |
Hi @yuvipanda! :) Ah I see your point, but would you agree that current role_arn implementation currently require us to provide credentials directly that are beyond the KMS credentials? I'm reading this like:
|
Ah yes, that's correct. The idea there is that you'd mostly run this from an EC2 instance that can assume that role, or have set AWS_* env vars that can assume that role. I had totally forgotten about this, and yeah this violates the rule around being self-contained :| Ideally I'd like to not have this, but unfortunately there are cases when policy prohibits generating ACCESS_SECRETs, and only roles can be used. See https://github.com/yuvipanda/aws-codecommit-secret for how I had set up to use this. So in the local deployment case, this means you either:
If doing (2), your EC2 instance (or user) only needs to have permissions to assume that role, and nothing else. I'll admit I had totally forgotten about this :| |
Thanks for the confirmation! I think I understand what you aim for quite well now so hopefully I can contribute moving this repo towards that direction. Thank you for your work on this project @yuvipanda ❤️ 🎉 I'll not close this issue yet as I hope we can make it lead to some documentation or similar at least. |
I'm going AWS native with AWS for KMS, ECR, and EKS.
By doing so, I use the environment variables
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
to use SOPS. But of course I could use these directly for ECR as well (assuming ~/.docker/config.json is configured for me), and EKS access also (assumingaws eks update-kubeconfig
is called).Currently though, if I specify
aws.service_key
in hubploy, I end up using SOPS to decrypt the same key already used. I ended up creating a AWS Role to assume so I can userole_arn
to take on that role with permissions ^^.I suggest we support omitting both
service_key
androle_arn
by inspecting these AWS environment variables as well, and if they exist we try to use them directly.The text was updated successfully, but these errors were encountered: