Feature #15051
Updated by Peter Amstutz about 5 years ago
Customer has a complex security policy that is too large to be assigned to individual user account. The workaround is to give the user account permission to use AssumeRole (https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) to an IAM role with the complete policy. This returns temporary credentials with the desired role. Because they are temporary, they need to be periodically refreshed.
Add support to the crunch-dispatch-cloud EC2 driver to create a session with the primary credentials, then call AssumeRole to get temporary credentials (with a 3600 second lifetime), which will then be used for subsequent cloud interaction (create/list/destroy instances). Credentials will need to be auto-refreshed once an hour.
Check if the AWS Go SDK has any support support this usage pattern of establishing a session, switching to an alternate role, and performing auto-refresh.