Skip to content

Replace User creds with Role creds for CWL agent #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 12, 2025
Merged

Replace User creds with Role creds for CWL agent #119

merged 1 commit into from
Feb 12, 2025

Conversation

Boxuan996
Copy link
Contributor

Description of changes:

  • Implement AWS STS assume-role to obtain short-term credentials
  • Store credentials in environment variables for AWS CLI usage
  • Update CloudWatch Agent configuration to use temporary credentials
  • Improve security by eliminating long-term IAM user credentials

The change uses the CodeBuild execution role to generate temporary
credentials with a 1-hour duration, enhancing security through
credential rotation.

@Boxuan996 Boxuan996 force-pushed the boxuan-replace-user-with-role branch 9 times, most recently from 0143ab5 to 4aca3d3 Compare February 11, 2025 21:35
seoberha
seoberha reviewed Feb 12, 2025
View reviewed changes
@Boxuan996 Boxuan996 force-pushed the boxuan-replace-user-with-role branch from 4aca3d3 to a604315 Compare February 12, 2025 18:01
@Boxuan996 Boxuan996 merged commit 7b14949 into awslabs:master Feb 12, 2025
1 check passed
@hussam789
Copy link

PR Code Suggestions ✨

CategorySuggestion                                                                                                                                    Impact
Possible issue
Validate role ARN exists

The script doesn't check if $Code_Build_Execution_Role_ARN is defined before
using it. If this variable is not set, the assume-role command will fail with a
cryptic error. Add a check to verify this variable exists.

bin/run-integ-tests.sh [25-34]

 # Store the AWS STS assume-role output and extract credentials
+if [ -z "$Code_Build_Execution_Role_ARN" ]; then
+    echo "Error: Code_Build_Execution_Role_ARN is not defined"
+    exit 1
+fi
+
 CREDS=$(aws sts assume-role \
     --role-arn $Code_Build_Execution_Role_ARN \
     --role-session-name "session-$(uuidgen)" \
     --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
     --output text \
     --duration-seconds 3600)
 
 # Parse the output into separate variables
 read AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< $CREDS
  • Apply this suggestion
Suggestion importance[1-10]: 8

__

Why: The suggestion adds a necessary check to ensure that Code_Build_Execution_Role_ARN is defined before it is used, preventing a potential failure in the aws sts assume-role command.

Medium
Check command success

The script doesn't check if the aws sts assume-role command succeeded before
using its output. If the command fails, $CREDS will be empty and the credentials
will be unset. Add error handling to check the command's exit status.

bin/run-integ-tests.sh [33-34]

 # Parse the output into separate variables
+if [ -z "$CREDS" ]; then
+    echo "Error: Failed to assume role. Check if the role exists and you have permission to assume it."
+    exit 1
+fi
 read AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< $CREDS
  • Apply this suggestion
Suggestion importance[1-10]: 8

__

Why: Adding error handling to verify that the aws sts assume-role command succeeded before parsing its output enhances the script's reliability and prevents further errors in cases of failure.

Medium
Ensure directory exists

The script doesn't check if the .aws directory exists before writing to it. If
this directory doesn't exist, the credentials file creation will fail. Add a
check to create the directory if it doesn't exist.

bin/start-agent.sh [22-26]

+# Ensure .aws directory exists
+mkdir -p ./.aws
+
 echo "[AmazonCloudWatchAgent]
 aws_access_key_id = $AWS_ACCESS_KEY_ID
 aws_secret_access_key = $AWS_SECRET_ACCESS_KEY
 aws_session_token = $AWS_SESSION_TOKEN
 " > ./.aws/credentials
  • Apply this suggestion
Suggestion importance[1-10]: 6

__

Why: By ensuring that the .aws directory exists before writing the credentials file, the suggestion improves the robustness of the script, though the impact is relatively minor.

Low
  • More

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rayabagi rayabagi rayabagi approved these changes

@seoberha seoberha seoberha approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Boxuan996 @hussam789 @rayabagi @seoberha