Hi.
I was wondering if there was a way to use AWS IAM roles with the S3 actions.
There isn’t any help on the S3 actions, and I haven’t found any references to IAM roles in the FinalBuilder forum.
If this is something that is not supported can you please let me know.
Thanks,
Bruce Palmer.
We don’t have any specific support for working with IAM roles.
Looking at the S3 sdk doco, I don’t see much in the way of IAM features when working with buckets. What are you looking to do?
Hi,
Our security team want to move away from access keys, which need to be periodically rotated, and use IAM roles instead.
I’m new to IAM roles, and still trying to figure them out, and I’m trying to clarify if FinalBuilder scripts that use S3 and EC2 actions will work using IAM roles.
For example, in an S3 action, if I leave the access key and secret key fields empty will the action pick up the role from the OS?
(To clarify further, our build machines that run Continua and FinalBuilder are EC2 instances.)
Thanks.
TBH I have no idea, we use the aws .net sdk, so I guess it would be up to them on that.
I checked a the actions and we don’t make the access key a required field, and I checked the AmazonS3Client sdk object and can’t see anything we need to configure for IAM roles.
We will need to learn more about IAM roles and create an environment so we can test this, since you already have an environment it shouldn’t be too difficult to test.
Okay, thanks Vincent.
I will create a test FinalBuilder script and try it out in our build environment later this week. I will report back here with the results.
Hi Vincent.
I created an IAM role on our server. I confirmed that I can use the AWS CLI to list the contents of an S3 bucket without specifying an access key. The CLI picks up the IAM role from the OS.
I created a test FinalBuilder script with an S3 task to list the contents of the same bucket.
First I tried it with a valid access key and secret key, and it worked.
Next I cleared the access key and secret key fields, and it failed with an access denied error.
Then I tried invoking the AWS CLI from the FinalBuilder script using an Execute Program task, and without an access key, and it worked.
My conclusion from this is that the code behind the S3 tasks do not fall back to IAM roles if the access key and secret key are missing.
So a work around is to invoke the AWS CLI from the FinalBuilder script. This should work, but requires modifying eight scripts and is not as convenient as using the S3 tasks.
I was unable to perform a similar test with an EC2 task because for these tasks the access key and secret key are required. Without them the script fails validation and wont run.
Is there any possibility that you could update the S3 and EC2 tasks so that they can work with IAM roles?
Regards,
Bruce
I will investigate this further, from my cursory look yesterday I couldn’t see anything with the aws .net sdk that would enable this.
I may have found a way - using FallbackCredentialsFactory.GetCredentials() - I will upload a build for you to try shortly.
Please try this build.
https://downloads.finalbuilder.com/downloads/finalbuilder/800/FB800_3341.exe
For the S3 actions, if the AccessKey is empty, it will use the FallbackCredentialsFactory which will use default credentials in your EC2 user profile.
Still need to investigate how to do this for the EC2 actions, which are written in javascript and use the rest api.
Hi Vincent,
That build now works for S3 actions. Nicely done.
Fingers crossed you can figure it out for EC2 actions.
Regards,
Bruce
That’s good news.
The bad news is for the EC2 actions it’s going to take a while. Those actions use the rest api, and so far I have not found a way to do this using javascript (still looking, but it’s a rabbit hole).
So to fix this, we will likely need to re-implement the actions using the sdk rather than the rest api (the sdk wasn’t available when we originally created these actions). As you can probably imagine, this is a significant amount of work (29 actions) and will need some serious testing to ensure we don’t break anything.
I can’t give an ETA right now but my guess is it will be several weeks at least before we can even start on this.
Hi Vincent,
The win with the S3 actions is the most significant, and means very minor changes to seven build scripts.
Only one build script uses EC2 actions (EC2 Change Instance and EC2 WaitFor) and I think we can handle those for now by invoking the AWS CLI.
Thank you for such a prompt response to my questions. It’s greatly appreciated.
Regards,
Bruce