Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Role support #2

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Role support #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e1226ce
added role documentation
scott-hiemstra Aug 25, 2022
ba45d99
Added an unset and jq
scott-hiemstra Aug 25, 2022
53169fe
Added doc for AWS cross acount roles documentation
scott-hiemstra Aug 25, 2022
3a34660
Update ecs-roles-cf.json
fdesing Oct 28, 2022
b75392c
Merge pull request #1 from fdesing/patch-1
scott-hiemstra Oct 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,4 +106,27 @@ ACCOUNT_ID=<your account>

echo -n $ECR_PASSWORD | docker login -u AWS --password-stdin https://$ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com

```
## Using AWS Assumed Role instead of normal IAM credentials
You can use the `aws sts assume-role` along with `jq` to utilize AWS assigned roles. This allows for using centralized AWS account management and doesn't rely on AWS IAM accounts.

Adding Cross Account Roles:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

If your assigned cross account role is `arn:aws:iam::0123456789:role/AdminCrossAccount`, you can run the rollowing commands:
```
AWS_DATA=$(aws sts assume-role --role-arn arn:aws:iam::0123456789:role/AdminCrossAccount --role-session-name=ecs-deployer | jq '.Credentials')
export AWS_ACCESS_KEY_ID=$(echo $AWS_DATA| jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $AWS_DATA| jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $AWS_DATA| jq -r '.SessionToken')
```
You can then use the following sample docker commands.
```
docker run \
--env AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION \
--env AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
--env AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
--env AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
smithmicro/ecs:latest create-cluster
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer not to show an unset here, even though it is good practice. It clutters the example IMHO.

```
7 changes: 7 additions & 0 deletions ecs-roles-cf.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,13 @@
],
"Resource": [
"arn:aws:ssm:*:*:parameter/*"
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:*:*:key/*"
}
]
}
]
Expand Down