Details

    • Type: Sub-task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Sprint:
      Sprint 1, Investigation Sprint, 4.1.0 Sprint 1, 4.1.0 Sprint 2
    • Scoping Version:
    • Rank:
      2|hzyqjb:

      Gliffy Diagrams

        Issue Links

          Activity

          Hide
          tjcramer Tim Cramer added a comment -

          please add the work needed to productize this. It may include client tool support

          Show
          tjcramer Tim Cramer added a comment - please add the work needed to productize this. It may include client tool support
          Hide
          sjones Steve Jones added a comment -

          The following IAM operations were added in 3.3.0:

          • CreateRole
          • DeleteRole
          • ListRoles
          • GetRole
          • UpdateAssumeRolePolicy
          • PutRolePolicy
          • GetRolePolicy
          • DeleteRolePolicy
          • ListRolePolicies
          • CreateInstanceProfile
          • GetInstanceProfile
          • AddRoleToInstanceProfile
          • RemoveRoleFromInstanceProfile
          • ListInstanceProfilesForRole
          • DeleteInstanceProfile
          • ListInstanceProfiles

          We need to add euare commands for each of the above actions, each command is not complex but there are quite a few of them. CreateRole , UpdateAssumeRolePolicy, and PutRolePolicy could have more complex UI to allow policy to be specified or could simply use a user supplied JSON policy document (i.e. euare-useraddpolicy vs. euare-useruploadpolicy)

          We may want to better align the semantics of the metadata service iam credentials with AWS (EUCA-5788) in terms of how long we cache role credentials.

          Policy support for the iam:PassRole action was not implemented and needs to be added (EUCA-6432).

          Some clean up of error messages is probably necessary, one example of this is EUCA-6411. This may be better handled as separate bugs than as part of any story.

          Show
          sjones Steve Jones added a comment - The following IAM operations were added in 3.3.0: CreateRole DeleteRole ListRoles GetRole UpdateAssumeRolePolicy PutRolePolicy GetRolePolicy DeleteRolePolicy ListRolePolicies CreateInstanceProfile GetInstanceProfile AddRoleToInstanceProfile RemoveRoleFromInstanceProfile ListInstanceProfilesForRole DeleteInstanceProfile ListInstanceProfiles We need to add euare commands for each of the above actions, each command is not complex but there are quite a few of them. CreateRole , UpdateAssumeRolePolicy, and PutRolePolicy could have more complex UI to allow policy to be specified or could simply use a user supplied JSON policy document (i.e. euare-useraddpolicy vs. euare-useruploadpolicy) We may want to better align the semantics of the metadata service iam credentials with AWS ( EUCA-5788 ) in terms of how long we cache role credentials. Policy support for the iam:PassRole action was not implemented and needs to be added ( EUCA-6432 ). Some clean up of error messages is probably necessary, one example of this is EUCA-6411 . This may be better handled as separate bugs than as part of any story.
          Hide
          sjones Steve Jones added a comment -

          Forgot to add that the STS/tokens service does not currently support assume role policies which we may want to add.

          Policy

          A supplemental policy that is associated with the temporary security credentials from the AssumeRole call. The resulting permissions of the temporary security credentials are an intersection of this policy and the access policy that is associated with the role. Use this policy to further restrict the permissions of the temporary security credentials.

          From:
          http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

          Show
          sjones Steve Jones added a comment - Forgot to add that the STS/tokens service does not currently support assume role policies which we may want to add. Policy A supplemental policy that is associated with the temporary security credentials from the AssumeRole call. The resulting permissions of the temporary security credentials are an intersection of this policy and the access policy that is associated with the role. Use this policy to further restrict the permissions of the temporary security credentials. From: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
          Hide
          sjones Steve Jones added a comment -

          We also need to add support for JSON for role credentials from the EC2 instance meta-data service (EUCA-6782)

          Show
          sjones Steve Jones added a comment - We also need to add support for JSON for role credentials from the EC2 instance meta-data service ( EUCA-6782 )

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile