-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support external id in STS Assume Role calls #18901
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great pending testing. Will approve upon successful test.
…e calls add support for sts:ExternalId in AWS STS AssumeRole calls. This is a security feature that helps protect against the confused deputy problem. It is an optional unique identifier that can be used by the principal (Fleet) assuming the role to assert its identity. 📝 docs(fleet-server-configuration): add documentation for sts_external_id for AWS services add documentation for the sts_external_id configuration option for Firehose, Kinesis, Lambda, SES, S3, and Packaging S3. This option is used for AWS STS External ID authentication, typically in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
module "firehose-logging" {
source = "../../../../fleet/terraform/addons/byo-firehose-logging-destination/firehose"
firehose_results_name = "osquery_results"
firehose_status_name = "osquery_status"
firehose_audit_name = "fleet_audit"
iam_role_arn = "arn:aws:iam::<account_id>:role/terraform-20240515135556432200000001"
sts_external_id = "super_secret_external_id"
region = "us-east-2"
} Works as expected with the changes to the code. I was able to configure Fleet to write to a firehose delivery stream in another account with STS assume role while providing STS External Id. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
🔐 feat(security): add support for sts:ExternalId in AWS STS AssumeRole calls
add support for sts:ExternalId in AWS STS AssumeRole calls. This is a security feature that helps protect against the confused deputy problem. It is an optional unique identifier that can be used by the principal (Fleet) assuming the role to assert its identity.
📝 docs(fleet-server-configuration): add documentation for sts_external_id for AWS services
add documentation for the sts_external_id configuration option for Firehose, Kinesis, Lambda, SES, S3, and Packaging S3. This option is used for AWS STS External ID authentication, typically in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
Checklist for submitter
If some of the following don't apply, delete the relevant line.
changes/
,orbit/changes/
oree/fleetd-chrome/changes
.See Changes files for more information.
closes #18898
I need to perform testing by setting up the ExternalID requirement in some AWS environment.