Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

To fix the issue when it use assume role to create EC2 instance #52572

Closed
wants to merge 16 commits into from
Closed

To fix the issue when it use assume role to create EC2 instance #52572

wants to merge 16 commits into from

Conversation

changyong
Copy link

@changyong changyong commented Apr 17, 2019
edited
Loading

What does this PR do?

To fix the issue when it use assume role to create AWS resources in another AWS account. The issue in #52501 is because when the variable __Expiration__ isn't equal to '', it will always return from the function directly. It won't have chance to execute provider.get('role_arn') and then get credential from assume role again.

What issues does this PR fix or reference?

Fix #52501

Tests written?

No

Commits signed with GPG?

No

waynew
waynew reviewed Apr 17, 2019
View reviewed changes
salt/utils/aws.py Outdated Show resolved Hide resolved
@waynew @changyong
Update salt/utils/aws.py
677ebc2 
agree, this should be better.

Co-Authored-By: changyong <[email protected]>
dwoz
dwoz reviewed Apr 18, 2019
View reviewed changes
Copy link
Contributor

@dwoz dwoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@changyong Is there test coverage for this change?

@changyong
Copy link
Author

@dwoz I didn't write test code but tested it manually:

I executed following three test cases to verify the code changes and all the tests pass, it can create EC2 instances successfully:

  1. Run salt-cloud to create EC2 through AWS access id and key.

provider settings:

test52501-id-key-provider:
  id: 'XXXXXXXXXXXXXXXXXXXX'
  key: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
  driver: ec2
  private_key: /home/ychang/.ssh/dummy.pem
  keyname: dummy
  location: eu-central-1
  del_all_vols_on_destroy: True

output logs:

test52501-id-key-provider.log

  1. Run salt-cloud to create EC2 through instance role in the same account.

provider settings:

test52501-instance-role-provider:
  id: 'use-instance-role-credentials'
  key: 'use-instance-role-credentials'
  driver: ec2
  private_key: /home/ychang/.ssh/dummy.pem
  keyname: dummy
  location: eu-central-1
  del_all_vols_on_destroy: True

output logs:

test52501-instance-role-provider.log

  1. Run salt-cloud to create EC2 through assume role in another account.

provider settings:

test52501-assume-role-provider:
  id: 'use-instance-role-credentials'
  key: 'use-instance-role-credentials'
  role_arn: 'arn:aws:iam::111111111111:role/salt-cloud-cross-account'
  driver: ec2
  private_key: /home/ychang/.ssh/dummy.pem
  keyname: dummy
  location: eu-central-1
  del_all_vols_on_destroy: True

output logs:

test52501-assume-role-provider.log

The test-profile.conf profile file context is:

test52501-id-key-profile:
  provider: test52501-id-key-provider
  image: ami-0d60b7af1abf4434d
  ssh_username: ec2-user
  ssh_interface: private_ips
  location: eu-central-1
  subnetid: subnet-41b7d529
  securitygroupid:
    - sg-933ef6fb
  minion:
    master: 10.115.64.253
    hash_type: sha512
    file_roots:
      base:
        - /opt/salt/base
    pillar_roots:
      base:
        - /opt/salt/pillar
  script_args: -C
  size: t3.small
test52501-instance-role-profile:
  provider: test52501-instance-role-provider
  image: ami-0d60b7af1abf4434d
  ssh_username: ec2-user
  ssh_interface: private_ips
  location: eu-central-1
  subnetid: subnet-41b7d529
  securitygroupid:
    - sg-933ef6fb
  minion:
    master: 10.115.64.253
    hash_type: sha512
    file_roots:
      base:
        - /opt/salt/base
    pillar_roots:
      base:
        - /opt/salt/pillar
  script_args: -C
  size: t3.small
test52501-assume-role-profile:
  provider: test52501-assume-role-provider
  image: ami-09def150731bdbcc2
  ssh_username: ec2-user
  ssh_interface: private_ips
  location: eu-central-1
  subnetid: subnet-0f4e4dc3b1dfab30a
  securitygroupid:
    - sg-05949256929b1ab99
  minion:
    master: 10.115.64.253
    hash_type: sha512
    file_roots:
      base:
        - /opt/salt/base
    pillar_roots:
      base:
        - /opt/salt/pillar
  script_args: -C
  size: t3.small

BTW, I replaced some sensitive info in the settings and logs.

@changyong changyong requested a review from a team as a code owner July 30, 2019 03:51
@ghost ghost requested a review from Akm0d July 30, 2019 03:51
@changyong changyong closed this Jan 15, 2020
@major0 major0 mentioned this pull request Mar 4, 2021
Open
@major0
Copy link
Contributor

major0 commented Mar 4, 2021

Issue #52501 is still broken (not certain why it was closed) and this fix is still applicable. Was there any particular approach to a unit test that was needed to get this merged? I am currently impacted by this across 5 AWS accounts.

@thebluesnevrdie
Copy link
Contributor

I am also interested in seeing this moving forward as it will affect me soon.

@changyong changyong reopened this Mar 8, 2021
@twangboy
Copy link
Contributor

twangboy commented Mar 9, 2021

@changyong In order for this to get in it needs to be rebased against the master branch and it needs to have tests written for it.

@Ch3LL Ch3LL added the Needs-Testcase PR needs test cases written, or the issue is about a bug/feature that needs test cases label Mar 30, 2021
@sagetherage
Copy link
Contributor

@major0 let's rebase this against master and write some tests, are you willing to help?

@sagetherage
Copy link
Contributor

Discussed in Grooming on 2021-APR-05 and 2021-APR-19 and followed up with @major0 about closing this PR. I will wait 2 more weeks and if no response or work I will close.

@sagetherage sagetherage removed the request for review from a team April 19, 2021 17:55
@sagetherage sagetherage added this to the Blocked milestone Apr 19, 2021
@sagetherage sagetherage added the develop Pointing to develop branch; needs rebase label Apr 19, 2021
@sagetherage
Copy link
Contributor

Reviewed in Grooming 2021-MAY-03 keeping it open for @major0, needs test coverage and rebased against master branch, removing from grooming project

@sagetherage sagetherage added the boto AWS wrapper modules label May 12, 2021
@tyhunt99
Copy link

Has anyone had a chance on getting the test required to merge this in? It would be a super nice fix to have.

@Ch3LL
Copy link
Contributor

Ch3LL commented Nov 7, 2022

Anyone willing to push this PR to completion?

@Ch3LL
Copy link
Contributor

Ch3LL commented Nov 21, 2022

Closing due to inactivity. Please let me know if you want me to re-open this PR or open a new PR against the master branch including the feedback in the PR

@Ch3LL Ch3LL closed this Nov 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@waynew waynew waynew left review comments

@dwoz dwoz dwoz left review comments

@Akm0d Akm0d Awaiting requested review from Akm0d

Assignees

@major0 major0

Labels
boto AWS wrapper modules develop Pointing to develop branch; needs rebase Needs-Testcase PR needs test cases written, or the issue is about a bug/feature that needs test cases pending-close Reviewers-Assigned
Projects
None yet
Milestone
Blocked
Development

Successfully merging this pull request may close these issues.
9 participants
@changyong @major0 @thebluesnevrdie @twangboy @sagetherage @tyhunt99 @Ch3LL @waynew @dwoz