Enable Assume Role from Drone Pipeline Step #248
Comments
|
From my understanding you still need an access key and secret key for a specific user, human or "robot", to have some credentials to assume a role with. If you are self-hosting your Drone solution then this should work if the self-hosted Drone is on an EC2 Instance and assigning the instance a Role: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html Otherwise, if outside of AWS, without any credentials (Access + Secret Key) there is no way I know of to assume a role. |
|
Thanks for the answer 😄 The cross-account assuming of the target role works in other steps, so the trust relationship between the Drone instance profile role and the target role is in place. Did I get it right? The existence of an environment variable called |
|
Also, an interesting behavior I observed: any time I provide steps:
- name: restore-cache
image: meltwater/drone-cache
environment:
AWS_ACCESS_KEY_ID:
from_secret: <DRONE_SECRET_AWS_ACCESS_KEY_ID>
AWS_SECRET_ACCESS_KEY:
from_secret: <DRONE_SECRET_AWS_SECRET_ACCESS_KEY>
AWS_ASSUME_ROLE_ARN:
from_secret: <DRONE_SECRET_ROLE_ARN>
settings:
<SETTINGS>If I remove |
|
That's interesting and it should work, but perhaps we never added the feature of it being used within a self-hosted AWS environment after all. I've never seen the I'm wondering if this could also be a good reason to upgrade to Thanks for finding this issue, I will look into it. Edit: Fix would require changes to the following code block, as it seems to explicitly expect Access and Secret keys as opposed to realizing it's an EC2 instance with IAM roles assigned: https://github.com/meltwater/drone-cache/blob/master/storage/backend/s3/s3.go#L54-L69 |
|
@hec-hi out of curiosity, if you remove all the Wondering if there is something we can add to ensure it uses Instance Profiles if in EC2: |
|
@bdebyl thanks a lot for following up 😉 I ran a few combinations:
So it seems that in example 4) the plugin is able to use whatever IAM Role is attached to the Drone Host EC2 Instance. In the case that this Role has a Policy attached to it that allows communication with the S3 Bucket, it seems to work. That's already really nice, but means that any other unrelated pipelines running in this instance will in theory be able to write/read to that cache Bucket. I guess the desired behavior would be:
Does that make sense? 🙏 |
|
Yes that's what I was thinking. This way the IAM Role assigned to the EC2 instance could be limited, but the Role ARN to assume could include that S3 bucket. Ultimately this doesn't add any more security to the EC2 Role being able to read/write to that cache bucket as it could just assume the role to do so, but I guess this might as well be a nice-to-have. Should require changing the validation in the assume role code to not expect static creds (Access + Secret keys) |
|
Yes, I agree it doesn't add more security since a pipeline developer can still write/read to that bucket if the ARN of the role to assume is known. Nevertheless, as you said, it is nice to have the option of "hiding" the ARN from the developer while limiting the default EC2 Role to the least privilege. |
In my DroneCI Pipeline, I am able to use drone-cache when providing IAM User credentials directly as environment variables.
Example:
Due to compliance reasons, I would like to assume a role instead:
I see something in that direction was already implemented in #142 , but setting the environment variable
AWS_ASSUME_ROLE_ARNdid not seem to work out-of-the-box for me.I get
EmptyStaticCreds: static credentials are empty.Maybe this is already implemented, and I am just missing something 😄
Thanks in advance!
The text was updated successfully, but these errors were encountered: