Comments (11)
@andytom So I have updated my PR to allow for MFA token per AWS documentation for you. Let me know if that works for. Also if you would like some more reference, take a look here https://aws.amazon.com/blogs/developer/assume-aws-iam-roles-with-mfa-using-the-aws-sdk-for-go/.
from helm-s3.
@hypnoglow I've given the PR a bit of testing and it works great 👍. Thanks for the hard work.
from helm-s3.
What I did is
- Set your assumed role profile in ~/.aws/credentials
- aws sts assume-role --role-arn arn:aws:iam::1234567890:role/your-assumed-role-name --role-session-name "your-role-session-name" --profile your-assumed-role-profile > assume-role-output.txt
- You will need the info in the assume-role-output.txt for following steps
- export AWS_REGION=region-of-your-bucket
- export AWS_ACCESS_KEY_ID=your-AccessKeyId
- export AWS_SECRET_ACCESS_KEY=your-SecretAccessKey
- export AWS_SESSION_TOKEN=your-SessionToken
It works for me. Hopefully save a lot of time for people who encounter the same problem. :)))))
from helm-s3.
Hi @andytom ,
I will definitely consider implementing this, but could you please describe your use case?
The more details the better, because to release this feature I will need to test that implementation works within some test AWS account.
from helm-s3.
I will definitely consider implementing this, but could you please describe your use case?
The more details the better, because to release this feature I will need to test that implementation works within some test AWS account.
If someone is using AWS Organizations and have a single account they they use to manage all the IAM user they will need to use assume roles to access resources in other accounts. This blog post from Segment.io explains the multiple AWS account setup in the "Separate AWS Accounts" section. An example would be that assuming that there is a developer who needs to setup his local minikube environment, that user would have an account in the ops account and in order to fetch the helm charts that developer would need to be able to use assume roles to access the prod account that contains the helm-s3 bucket.
MFA is just for security, Amazon recommend the use of MFA devices to increase security (see https://aws.amazon.com/iam/details/mfa/).
Hopefully that explains my use case but please let me know if you want me to expand anything or if anything is unclear please let me know.
from helm-s3.
@hypnoglow I believe @ConradKurth has done some work relating to switching roles in #24. Would it make sense to create a separate issue to the MFA stuff and keep this issue for the switching roles (I'm not sure how granular you want to get with your issues)?
from helm-s3.
Fixed by #24.
from helm-s3.
@hypnoglow and @ConradKurth, It seems I may have been a little bit hasty in closing this. I have been doing some testing with the new version and found a few issues:
- Timeouts - The context timeout includes the time taken entering of the MFA token so if you take too long to enter the MFA code it will timeout. This seems to be relatively minor and could be fixed by increasing the default timeout.
helm s3 init s3://example-s3-bucket/charts
Assume Role MFA token code: 123456
2018/01/10 17:34:06 upload index to s3: upload index to S3 bucket: RequestCanceled: request context canceled
caused by: context deadline exceeded
- No MFA prompt - When using the proxy method there is no prompt for the MFA code, this might be because of the way that helm is calling the plugin because if you call the helms3 binary directly it does prompt. However I'm not sure how you would go about fixing this.
helm repo add example s3://example-s3-bucket/charts
2018/01/10 17:42:02 fetch from s3: fetch object from s3: EOF
Error: Looks like "s3://example-s3-bucket/charts" is not a valid chart repository or cannot be reached: plugin "bin/helms3" exited with error
$(helm home)/plugins/helm-s3.git/bin/helms3 certFile keyFile caFile s3://example-s3-bucket/charts/index.yaml
Assume Role MFA token code: 123456
apiVersion: v1
entries: {}
generated: 2018-01-10T16:58:45.608539Z
from helm-s3.
Timeouts - The context timeout includes the time taken entering of the MFA token so if you take too long to enter the MFA code it will timeout. This seems to be relatively minor and could be fixed by increasing the default timeout.
I think that increasing timeout is not an option. What is a reasonable timeout for a user with MFA enabled? It can take quite a time for him in some cases to get the code.
We either have to
- a) refuse interactivity and pass the code as a flag like
helm s3 push --mfa-token-code
- b) or remove the timeout completely even from not mfa-enabled requests (because we delegated all the creds job to the AWS library itself, and we cannot distinguish auth details from the plugin code anymore).
No MFA prompt - When using the proxy method there is no prompt for the MFA code, this might be because of the way that helm is calling the plugin because if you call the helms3 binary directly it does prompt. However I'm not sure how you would go about fixing this.
I've tried to fix this by using stderr instead of stdin-stdout, and it worked 😳 But we need to decide what to do with the problem above, because the a)
solution will not work with this proxy method, as helm commands do not support any third-party flags:
$ helm repo add hypnoglow2 "s3://hypnoglow-charts" --mfa-token-code
Error: unknown flag: --mfa-token-code
So, I guess, we are forced to remove the timeouts completely because there is no other way to make MFA happy?
from helm-s3.
I've tried to fix this by using stderr instead of stdin-stdout, and it worked 😳 But we need to decide what to do with the problem above, because the a) solution will not work with this proxy method, as helm commands do not support any third-party flags:
Ah that would make sense, I've just read the plugin downloader docs and helm must be capturing the prompt as part of the output.
We could increase the timeout to a few minutes, that would give someone plenty of time to enter an MFA code and still keep the timeout for things like CI systems.
from helm-s3.
I've set a timeout of 5 minutes (helm
default timeout in actions like helm install
is 5 minutes, so let it be), also I think MFA for a proxy action is fixed, at least I tested and it works for me.
from helm-s3.
Related Issues (20)
- Bad EOL characters in shell scripts HOT 2
- Reindex timeout flag is not documented HOT 1
- Plugin cannot connect, dispite AWS CLI connecting without issue HOT 1
- helm s3 push fails with an error HOT 4
- Wrong sort order for pre-releases above 9
- Helm s3 plugin cannot pull public s3 charts anymore HOT 1
- add/replace chart in the index: Invalid Semantic Version HOT 1
- Version number with `+` gets double URL escaped when using relative URLs
- Vulnerability found in helm-s3 v0.14.0 HOT 1
- Error installing last plugin version on windows HOT 1
- CVEs found in helm-s3 v0.14.0 HOT 1
- fork/exec /home/ubuntu/.helm/plugins/helm-s3.git/bin/helm-s3 download: no such file or directory HOT 3
- reindex does not report which chart throws an error HOT 1
- Unable to install helm-s3 plugin through Github runner HOT 1
- Error when install: env: can't execute 'bash': No such file or directory HOT 5
- helm s3 init failure with version 0.15.0 HOT 3
- repository.yaml not found if permissions on $KUBECONFIG are bad HOT 3
- Reindex is too slow in repos with thousands of charts HOT 3
- No results found HOT 3
- Vulnerability in helm v3.13.2 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-s3.