Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to use existing IAM roles instead of dynamically creating roles #114

Open
mparaz opened this issue Nov 17, 2016 · 4 comments
Open

Option to use existing IAM roles instead of dynamically creating roles #114

mparaz opened this issue Nov 17, 2016 · 4 comments

Comments

@mparaz
Copy link

mparaz commented Nov 17, 2016

I would like the option of the CloudFormation template to make use of existing IAM roles, instead of dynamically creating them.

One scenario is when the user running Gordon, or manually creating the CloudFormation stack, does not have IAM privileges.
@ahl
Copy link
Contributor

ahl commented Dec 16, 2016

I've done this with role

https://gordon.readthedocs.io/en/latest/lambdas.html#role

Does that work for you?

@brianantonelli
Copy link

Even when providing the ARN I still get en exception from it attempting to call iam:list_users. I'm doing this from a federated account that does not have IAM access.

My settings.yml

lambdas:
  helloworld:
    code: helloworld
    handler: code.handler
    runtime: nodejs4.3
    role: arn:aws:iam::#######:role/acct-managed/Lambda-Deploy

Running apply:

Applying project...
Traceback (most recent call last):
  File "/usr/bin/gordon", line 11, in <module>
    load_entry_point('gordon==0.5.0', 'console_scripts', 'gordon')()
  File "/usr/lib/python2.7/site-packages/gordon/bin.py", line 109, in main
    getattr(obj, options.func)()
  File "/usr/lib/python2.7/site-packages/gordon/core.py", line 426, in apply
    context.update(self.collect_parameters())
  File "/usr/lib/python2.7/site-packages/gordon/core.py", line 459, in collect_parameters
    aws_account_id = boto3.client('iam').list_users(MaxItems=1)['Users'][0]['Arn'].split(':')[4]
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 253, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 543, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the ListUsers operation: The security token included in the request is invalid.

@kerryhatcher
Copy link
Contributor

Looks like what Gordon really cares about is the account id. We can just add that as an config var:

gordon/gordon/core.py

Line 454 in c9b83ea

# Retrieve the account_id of the credentials currently in use.

@kerryhatcher kerryhatcher mentioned this issue Mar 9, 2017
Merged
@kerryhatcher
Copy link
Contributor

Next issue is that gordon.contrib.lambdas had a policy defined, so even if you have a role configured for your application, gordon still tries to create one for the contrib function.

See:
https://github.com/jorgebastida/gordon/blob/master/gordon/contrib/lambdas/settings.yml#L11
https://gordon.readthedocs.io/en/latest/contrib.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brianantonelli @ahl @mparaz @kerryhatcher