support external id in STS Assume Role calls #18901
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
edwardsb
requested review from
rachaelshaw,
rfairburn,
ksatter,
lukeheath,
pacamaster,
georgekarrv and
a team
as code owners
rfairburn
reviewed
May 10, 2024
…e calls add support for sts:ExternalId in AWS STS AssumeRole calls. This is a security feature that helps protect against the confused deputy problem. It is an optional unique identifier that can be used by the principal (Fleet) assuming the role to assert its identity. 📝 docs(fleet-server-configuration): add documentation for sts_external_id for AWS services add documentation for the sts_external_id configuration option for Firehose, Kinesis, Lambda, SES, S3, and Packaging S3. This option is used for AWS STS External ID authentication, typically in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
rfairburn
approved these changes
May 15, 2024
module "firehose-logging" {
source = "../../../../fleet/terraform/addons/byo-firehose-logging-destination/firehose"
firehose_results_name = "osquery_results"
firehose_status_name = "osquery_status"
firehose_audit_name = "fleet_audit"
iam_role_arn = "arn:aws:iam::<account_id>:role/terraform-20240515135556432200000001"
sts_external_id = "super_secret_external_id"
region = "us-east-2"
}Works as expected with the changes to the code. I was able to configure Fleet to write to a firehose delivery stream in another account with STS assume role while providing STS External Id. |
pacamaster
approved these changes
May 16, 2024
ksatter
approved these changes
May 20, 2024
lukeheath
approved these changes
May 21, 2024
rachaelshaw
approved these changes
May 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔐 feat(security): add support for sts:ExternalId in AWS STS AssumeRole calls
add support for sts:ExternalId in AWS STS AssumeRole calls. This is a security feature that helps protect against the confused deputy problem. It is an optional unique identifier that can be used by the principal (Fleet) assuming the role to assert its identity.
📝 docs(fleet-server-configuration): add documentation for sts_external_id for AWS services
add documentation for the sts_external_id configuration option for Firehose, Kinesis, Lambda, SES, S3, and Packaging S3. This option is used for AWS STS External ID authentication, typically in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
Checklist for submitter
If some of the following don't apply, delete the relevant line.
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
closes #18898
I need to perform testing by setting up the ExternalID requirement in some AWS environment.