Feature #15051
Updated by Ward Vandewege over 5 years ago
Customer has a complex security policy that is too large to be assigned to individual user account. The workaround is to give the user account permission to use AssumeRole (https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) to an IAM role with the complete policy. This returns temporary credentials with the desired role. Because they are temporary, they need to be periodically refreshed. Add support to the arvados-dispatch-cloud crunch-dispatch-cloud EC2 driver to create a session with the primary credentials, then call AssumeRole to get temporary credentials (with a 3600 second lifetime), which will then be used for subsequent cloud interaction (create/list/destroy instances). Credentials will need to be auto-refreshed once an hour. Check if the AWS Go SDK has any support support this usage pattern of establishing a session, switching to an alternate role, and performing auto-refresh.