Project

General

Profile

Feature #15051

Updated by Ward Vandewege over 5 years ago

Customer has a complex security policy that is too large to be assigned to individual user account.    The workaround is to give the user account permission to use AssumeRole (https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) to an IAM role with the complete policy.    This returns temporary credentials with the desired role.    Because they are temporary, they need to be periodically refreshed. 

 Add support to the arvados-dispatch-cloud crunch-dispatch-cloud EC2 driver to create a session with the primary credentials, then call AssumeRole to get temporary credentials (with a 3600 second lifetime), which will then be used for subsequent cloud interaction (create/list/destroy instances).     Credentials will need to be auto-refreshed once an hour. 

 Check if the AWS Go SDK has any support support this usage pattern of establishing a session, switching to an alternate role, and performing auto-refresh.

Back