New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow AWS temporary credentials with session tokens #958
Conversation
ab86e52
to
ba5cfd7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I 100% must use temporary creds with nixops and so require this to be merged so I figured i would review. Looks ok to me fwiw.
Can confirm this works with creds on a temporarily assumed role. |
While this works for deployment I suspect there may be a codepath that has been missed as I get the same 401 error I got without this patch when trying to delete a ec2 keypair:
|
Hi @Nekroze, I hope you find this PR useful. We use it on a fork of nixops. Looking at the Using the same temporary credentials with awscli, are you able to run aws ec2 delete-key-pair? |
Very, thanks for making it. I really hope it lands soon.
Indeed I can, I am getting this on |
It seems quite important to get this merged. Until then, Nixops is broken for AWS if you follow Amazon's recommended way of setting up your users and roles. |
Sadly I do not think this branch is quite ready for merge, last I used it various operations still failed and did not seem to be utilizing the keys. From memory things like doing a I have since switched to using Hashicorp Vault to generate users dynamically so I get a similar kind of thing to the STS sessions but nixops does not complain... so I am not so up to date with what works with this branch and what does not for now. |
Hello! Thank you for this PR. In the past several months, some major changes have taken place in
This is all accumulating in to what I hope will be a NixOps 2.0 My hope is that by adding types and more thorough automated testing, However, because of the major changes, it has become likely that this If you would like to see this merge, please bring it up to date with Thank you again for the work you've done here, I am sorry to be Graham |
Thanks @grahamc |
This allows passing the session token of AWS temporary credentials to boto. This helps when the AWS credentials came from assuming a role or using a MFA token.
I just hacked this up now and it works for my ec2/route53 test. If the approach seems right to you, I can add some documentation and check that the use case of #938 can work by specifying an empty access_key_id.