How to assume role to read KMS keys?

jorhett · January 8, 2021, 1:20am

Terraform allows assumption of roles with the AWS provider. However it seems the Boundary provider doesn’t use the AWS provider, nor provide an option for setting the profile to assume to read the key?

The only way I can get this to work is to login and set the AWS_PROFILE environment variable before running Terraform, which defeats CI testing implementations.

Would be great if it supported assuming profiles similar to or making use of Terraform’s AWS provider.

kms "awskms" {
  purpose    = "root"
  region     = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::0000000000:role/iam-identity-foobar"
  }
}

malnick · January 8, 2021, 7:24pm

Hey there,

From where are you running Boundary? Is this on an EC2 instance within AWS or somewhere else? Under the authentication section for KMS AWS, we point out that:

AWS authentication values:

[ AWS_REGION ]>(AWS KMS - Seals - Configuration | Vault by HashiCorp) or >AWS_DEFAULT_REGION

[ AWS_ACCESS_KEY_ID ]>(AWS KMS - Seals - Configuration | Vault by HashiCorp)

[ AWS_SECRET_ACCESS_KEY ]>(AWS KMS - Seals - Configuration | Vault by HashiCorp)

Note: The client uses the official AWS SDK and will use the specified credentials, environment >credentials, shared file credentials, or IAM role/ECS task credentials in that order, if the above AWS specific values are not provided.

If you’re on an EC2 instance, you can leverage the role as an instance profile. Under the hood, we’re running the AWS SDK, and so all env vars and other authentication mechanisms should happen automatically.

jorhett · January 8, 2021, 7:35pm

When using the Terraform provider you are running from a workstation or CI system, not from the instance node.

Yes, it would be possible to create a CI node in EC2 which has a god-like instance profile, but this is a lot less secure than specific role assumption rights given to specific jobs.

If you are using the AWS provider with role assumption, you can’t use the environment variables for all the reasons this ability was added to the AWS provider. (multiple roles are used for this deployment)

The AWS provider is based on the same SDK, so it would have the same abilities if you added the same attributes to the Boundary provider schema.

jorhett · January 8, 2021, 8:06pm

Since it doesn’t seem I overlooked anything, I’ve created Boundary provider needs assume_role · Issue #62 · hashicorp/terraform-provider-boundary · GitHub to track this

malnick · January 13, 2021, 6:28pm

I’m still not following the workflow clearly here. In the example, you have a awskms block, that block specifies a KMS key, not IAM configuration, for encrypting different types of Boundary traffic. How are you using Boundary from CI? Can you clarify if this is something you’re doing from Terraform (and the specific provider, it sounds like you’re using Boundary and AWS providers), or Boundary itself?

Thanks!

malnick · January 13, 2021, 6:31pm

Ah, the ticket had the info I was looking for, going to take this conversation there - thanks for doing that.

jorhett · January 26, 2021, 1:37am

Yes. In order to read that key, one must assume the correct IAM profile. There’s no way to do that today except by setting environment variables… which breaks all other AWS operations in the same Terraform run.

I’m asking you to add the ability to assume an AWS profile in order to read the KMS provided.