Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-9674

Allow to use AssumeRole with metadata authentification for AWS templates

XMLWordPrintable

    • Support backlog
    • 10

      Currently when using AssumeRole for authentification it is necessary to specify AWS.ACCESS.KEY.ID and AWS.SECRET.ACCESS.KEY, some environments do not allow such approach. While AssumeRole is recommended to use for multi-account access, it is necessary to extend it to use "role_base" authentication.

      To allow such auth mechanism need to change only a few places in Javascript:
      1. Add the following between "case 'role_base':" and "case 'assume_role':" block code:

                        case 'assume_role_role_based':
                          ['sts_region', 'role_arn'].forEach(function (field) {
                            if (typeof params !== 'object' || typeof params[field] === 'undefined' || params[field] === '') {
                              throw 'Required param is not set: "' + field + '".';
                            }
                            AWS.params[field] = params[field];
                          });
                  
                          params['auth_type'] = 'role_base';
                          AWS.setParams(params);
                  
                          AWS.params['auth_type'] = 'assume_role_role_based';
                          AWS.params['SessionToken'] = AWS.params['Token'];
                  
                          role_arn_regex = /role\/(.+)$/;
                  
                          var payload = {
                            'Action': 'AssumeRole',
                            'Version': '2011-06-15',
                            'RoleArn': AWS.params.role_arn,
                            'RoleSessionName': AWS.params.role_arn.match(role_arn_regex)[1] + 'Session',
                          };
                  
                          credentials = AWS.getField(AWS.request('GET', AWS.params.sts_region, 'sts', AWS.prepareParams(payload), ''), 'AssumeRoleResponse.AssumeRoleResult.Credentials');
                  
                          ['AccessKeyId', 'SecretAccessKey', 'SessionToken'].forEach(function (field) {
                            if (typeof credentials !== 'object' || typeof credentials[field] === 'undefined' || credentials[field] === '') {
                              throw 'Required credentials are not set: "' + field + '".';
                            };
                            AWS.params[field] = credentials[field];
                          });
                          break;
      

      2. replace the following line:

      if (AWS.params.auth_type === 'role_base' || (AWS.params.auth_type === 'assume_role' & !params.includes('AssumeRole'))) {
      

      with

      if (AWS.params.auth_type === 'role_base' || AWS.params.auth_type === 'assume_role_role_based' || (AWS.params.auth_type === 'assume_role' & !params.includes('AssumeRole'))) {
      

            egordymov Evgenii Gordymov
            dotneft Alexey Pustovalov
            Team INT
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 61h
                61h