Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

barman-cli-cloud does not work with IMDSv2 #949

Open
smcaine opened this issue Jun 24, 2024 · 2 comments
Open

barman-cli-cloud does not work with IMDSv2 #949

smcaine opened this issue Jun 24, 2024 · 2 comments
Labels
triage

Comments

@smcaine
Copy link

smcaine commented Jun 24, 2024
edited
Loading

Hi,

I want to be able to ship backups to S3. In AWS we use recommended IMDSv2 (http token required) on all of our EC2 instances, we do not store AWS credentials on any instances or containers, this is not recommended, we only use IRSA to auth to other AWS services.

barman-cli-cloud only works like this if i set http-token as optional in my EC2 metadata config, see here for more details:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html

Please can some logic be added to fix this to work with a token required?

**Updated

add flag for aws irsa:

    s3_arguments.add_argument(
        "--aws-irsa",
        help="bypasses credentials/profile and uses iam service account",
        action="store_true",
        default=False,
    )

and then just condition to use irsa or not, which can use local environment variables and sts to get a session:

      # barman/cloud_providers/aws_s3.py
        if self.aws_irsa:
            client = boto3.client('sts')
            with open(os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), 'r') as content_file:
                web_identity_token = content_file.read()

            response = client.assume_role_with_web_identity(
                    RoleArn=os.environ['AWS_ROLE_ARN'],
                    RoleSessionName='barman',
                    WebIdentityToken=web_identity_token,
                    # DurationSeconds=3600 # defaults to an hour, must not be greater than 
                    # the iam role max duration session (this is also default 1 hour)
                )
            credentials = response['Credentials']
            session = boto3.Session(  aws_access_key_id=credentials['AccessKeyId'],
                                        aws_secret_access_key=credentials['SecretAccessKey'],
                                        aws_session_token=credentials['SessionToken'])
        else:
            session = boto3.Session(profile_name=self.profile_name)

        self.s3 = session.resource("s3", endpoint_url=self.endpoint_url, config=config)

thanks!
@smcaine smcaine mentioned this issue Oct 9, 2024
Open
@smcaine
Copy link
Author

smcaine commented Oct 9, 2024
edited
Loading

is anyone able to pick this one up? i created a PR for this here #1021

Thanks

@martinmarques
Copy link
Contributor

Hi, we will look at this before the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinmarques @smcaine