Details

    • Type: Sub-task Sub-task
    • Status: Resolved (View Workflow)
    • Priority: Major Major
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Security Level: Public (Anonymously viewable)
    • Labels:
      None
    • Sprint:
      Sprint 1, Investigation Sprint
    • Scoping Version:
    • Rank:
      10275

      Issue Links

        Activity

        Hide
        Tim Cramer added a comment -

        please add the work needed to productize this. It may include client tool support

        Show
        Tim Cramer added a comment - please add the work needed to productize this. It may include client tool support
        Hide
        Steve Jones added a comment -

        The following IAM operations were added in 3.3.0:

        • CreateRole
        • DeleteRole
        • ListRoles
        • GetRole
        • UpdateAssumeRolePolicy
        • PutRolePolicy
        • GetRolePolicy
        • DeleteRolePolicy
        • ListRolePolicies
        • CreateInstanceProfile
        • GetInstanceProfile
        • AddRoleToInstanceProfile
        • RemoveRoleFromInstanceProfile
        • ListInstanceProfilesForRole
        • DeleteInstanceProfile
        • ListInstanceProfiles

        We need to add euare commands for each of the above actions, each command is not complex but there are quite a few of them. CreateRole , UpdateAssumeRolePolicy, and PutRolePolicy could have more complex UI to allow policy to be specified or could simply use a user supplied JSON policy document (i.e. euare-useraddpolicy vs. euare-useruploadpolicy)

        We may want to better align the semantics of the metadata service iam credentials with AWS (EUCA-5788) in terms of how long we cache role credentials.

        Policy support for the iam:PassRole action was not implemented and needs to be added (EUCA-6432).

        Some clean up of error messages is probably necessary, one example of this is EUCA-6411. This may be better handled as separate bugs than as part of any story.

        Show
        Steve Jones added a comment - The following IAM operations were added in 3.3.0: CreateRole DeleteRole ListRoles GetRole UpdateAssumeRolePolicy PutRolePolicy GetRolePolicy DeleteRolePolicy ListRolePolicies CreateInstanceProfile GetInstanceProfile AddRoleToInstanceProfile RemoveRoleFromInstanceProfile ListInstanceProfilesForRole DeleteInstanceProfile ListInstanceProfiles We need to add euare commands for each of the above actions, each command is not complex but there are quite a few of them. CreateRole , UpdateAssumeRolePolicy, and PutRolePolicy could have more complex UI to allow policy to be specified or could simply use a user supplied JSON policy document (i.e. euare-useraddpolicy vs. euare-useruploadpolicy) We may want to better align the semantics of the metadata service iam credentials with AWS ( EUCA-5788 ) in terms of how long we cache role credentials. Policy support for the iam:PassRole action was not implemented and needs to be added ( EUCA-6432 ). Some clean up of error messages is probably necessary, one example of this is EUCA-6411 . This may be better handled as separate bugs than as part of any story.
        Hide
        Steve Jones added a comment -

        Forgot to add that the STS/tokens service does not currently support assume role policies which we may want to add.

        Policy

        A supplemental policy that is associated with the temporary security credentials from the AssumeRole call. The resulting permissions of the temporary security credentials are an intersection of this policy and the access policy that is associated with the role. Use this policy to further restrict the permissions of the temporary security credentials.

        From:
        http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

        Show
        Steve Jones added a comment - Forgot to add that the STS/tokens service does not currently support assume role policies which we may want to add. Policy A supplemental policy that is associated with the temporary security credentials from the AssumeRole call. The resulting permissions of the temporary security credentials are an intersection of this policy and the access policy that is associated with the role. Use this policy to further restrict the permissions of the temporary security credentials. From: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
        Hide
        Steve Jones added a comment -

        We also need to add support for JSON for role credentials from the EC2 instance meta-data service (EUCA-6782)

        Show
        Steve Jones added a comment - We also need to add support for JSON for role credentials from the EC2 instance meta-data service ( EUCA-6782 )

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile