Arvados

Customer has a complex security policy that is too large to be assigned to individual user account. The workaround is to give the user account permission to use AssumeRole (https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) to an IAM role with the complete policy. This returns temporary credentials with the desired role. Because they are temporary, they need to be periodically refreshed.

Add support to the arvados-dispatch-cloud EC2 driver to create a session with the primary credentials, then call AssumeRole to get temporary credentials (with a 3600 second lifetime), which will then be used for subsequent cloud interaction (create/list/destroy instances). Credentials will need to be auto-refreshed once an hour.

Check if the AWS Go SDK has any support support this usage pattern of establishing a session, switching to an alternate role, and performing auto-refresh.

https://docs.aws.amazon.com/sdk-for-go/api/aws/session/

Assume Role values allow you to configure the SDK to assume an IAM role using a set of credentials provided in a config file via the source_profile field. Both "role_arn" and "source_profile" are required.

Internally to the SDK, I think this involves setting up "chained credentials" and then setting that on the aws.Config struct used to initialize the session:

https://docs.aws.amazon.com/sdk-for-go/api/aws/credentials/