WIP: Allow clients to pass in session tags #9035
Conversation
castrapel
commented
Mar 17, 2021
castrapel
commented
- Allows clients (such as weep) to pass in metadata to be included in session tags
- Sanitizes tags in accordance with AWS session tag specifications - https://github.com/Netflix/consoleme/compare/session_tag_support?expand=1
- Adds a configurable prefix to user-submitted session tags, to prevent overriding tags on the IAM principal
|
Hi @castrapel , let me know if this should be a separate issue, but was wondering if support for transitive tags and external id might be able to be slipped in here as well. Doing some R&D on what'd it'd take to get up and running with ConsoleMe/Weep in a multi Org scenario (with support for session tagging and external ids) and came across this WIP PR. Thanks! |
|
Hey @deric4 ! Transitive tags can be scary, especially if we're trusting a user to supply these tags. They could be used to bypass any tagging authorization checks since policies will not differentiate between these and actual tags on the IAM principal. How would you envision using session tags? As for external ID, I believe we can allow a user to specify that for when ConsoleMe assumes a role. Is that how you'd imagine it being used? Because this could be inconvenient for the user if they need to specify an external ID each time they want to get credentials via Weep. Another option (Though I believe this introduces a security risk) - Would you imagine this being stored in ConsoleMe as part of its configuration or dynamic configuration? IE: "Whenever an authorized user gets credential for role arn:aws:..:role/X, then use this external ID". If this were stored in dynamic configuration, anyone who is a "consoleme admin" for their deployment could see the external IDs. Maybe that's acceptable. |
The main driver behind the use of session tags would be able to "run as" feature in ssm sessions where the user may have to potentially assume-role 1 or 2 account levels deep after initial authentication. Transitive tags may not be the solution here, but trying to see how far we push things implementing a similar workflow as described here and what might happen if we threw ConsoleMe/Weep in there 🙃 Not my post but came across this which might be give a better idea of what I'm trying to say in a simpler example lol: https://forums.aws.amazon.com/thread.jspa?threadID=324867
Ya, ideally someway for the user to avoid worrying about the external ID and configured ahead of time by an admin.
So, for this implementation, we don't consider the external ID as a secret, and used more for easier auditing of cloudtrail logs. Its been a point of friction with vault for us the last few years and there's been a bunch of discussion in hashicorp/vault#3790 and hashicorp/vault#5033 about it. From the docs
For external ID, almost exactly this. The main use case right now would be the same role gets deployed to 3 different accounts but require different external IDs |
