How to configure aws sso for terraform? - terraform-provider-aws

I have been using aws as cloud service and terraform as IaC. It's very annoying to copy paste the credentials frequently. Is there any solution available for that or any work around other to use aws sso?

Premise
It was my understanding that there is a current issue between AWS SSO (authentication v2) and terraform; that only V1 authentication (access key and secret key) is reliably accepted.
For example, this open PR or this issue or this ongoing referenced merge
Work Around
There are a couple of projects that circumvent this issue by generating V1 creds from AWS SSO.
The one I use is a PyPi library called yawsso.
Try this:
pip3 install yawsso
yawsso login # this will authenticate - you no longer need to run 'aws sso login'
Note
Just make sure you use the right profile with export AWS_PROFILE=foo where "foo" would be in ~/.aws/config as [profile foo]
Bonus
yawsso will log you in on all profiles listed in the AWS config file, so you don't need to log in one-by-one into all profiles required at work

Related

G-cloud sdk --> problems about firebase projects and permissions

I'm developing a backend microservice app with node.js along with #google-cloud/firestore and i'm trying to access my firebase project locally with gcloud-sdk. I've run gcloud init so i can log in and chose the project i need to connect to in order to access the db.
The problem is that, i keep getting 7 PERMISSION_DENIED: Missing or insufficient permissions when i try to make any type of interaction with the db even though i already have all permissions in the project. At the beginning i thought that maybe i was having that problem because i was using a different account that did not have permissions to access these projects, but that didn't make sense because i do not see that account in my list of accounts in the sdk
But, when i gave permissions to the other account that i thought maybe logged in in my sdk, i could access the db, so it was weird, it is like it's stuck with the other account that maybe i added when i first install the sdk.
So, i've tried everything to correct this, i've deleted all accounts from my gcloud sdk, i've deleted the list of configurations, i've uninstalled (twice) the sdk and installed it again (since people that i work with told me that they did this and worked for them, since they had same issue), i've run g cloud init to log in again and all that stuff, and still, when i try to connect to my firebase db, it still says that i still do not have permissions, it's like the account that i'm logging in is not the one that is being saved/used to access my project.
What can i do to make this work ?
EDIT #1 -> How i'm connecting to firebase and sdk commands to connect to the project
Connecting to my project on firestore
import 'reflect-metadata';
import { Firestore } from '#google-cloud/firestore';
import { GCP_PROJECT } from '#util';
export const firestore = new Firestore({ projectId: GCP_PROJECT });
Commands to connect to my project by sdk
-> gcloud init
Welcome! This command will take you through the configuration of gcloud.
Settings from your current configuration [coordinadora-work] are:
core:
account: diego.cifuentes#coordinadora.com
disable_usage_reporting: 'True'
project: cm-reparto-dev
Pick configuration to use:
[1] Re-initialize this configuration [coordinadora-work] with new settings
[2] Create a new configuration
Please enter your numeric choice: 1
Your current configuration has been set to: [coordinadora-work]
You can skip diagnostics next time by using the following flag:
gcloud init --skip-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic passed (1/1 checks passed).
Choose the account you would like to use to perform operations for this configuration:
[1] diego.cifuentes#coordinadora.com
[2] Log in with a new account
-> Please enter your numeric choice: 1
You are logged in as: [...my account that is having problems...].
Pick cloud project to use:
...
-> Please enter numeric choice or text value (must exactly match list item): 21
Your current project has been set to: [...project that i'm having problems with...].
-> Do you want to configure a default Compute Region and Zone? (Y/n)? n
Your Google Cloud SDK is configured and ready to use!
The Google Cloud Client libraries use the Application Default Credentials, not the current credentials setup using gcloud auth login.
To setup your Application Default Credentials for local development, simple execute gcloud auth application-default login. This will open a browser window and allow you to select the account to use as default credentials.
Another method is setting the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to a service account key file.
Read more here : https://cloud.google.com/docs/authentication/application-default-credentials
When running in GCP, your credentials will get picked up from the environment, i.e. the service account your Cloud Function is running with.
https://cloud.google.com/docs/authentication/client-libraries

Get Firebase Admin SDK private key programmatically

I need to create Firebase projects, get the Admin SDK private keys, and add resources programmatically.
I can create projects with CLI - firebase projects:create. But after that to use Admin SDK or REST API to add resources to the project, I need to get Admin SDK private key.
My plan is web scraping with direct HTTP requests. I know Fastlane use same logic to control Apple Developer Portal UI and fetch data from it programmatically.
First, I need to go: https://console.firebase.google.com/project/<project_id>/settings/serviceaccounts/adminsdk with required cookies, headers etc.
Then, I should mimic the Generate new Private Key button below and get the private key.
But I have never used this method, especially with a web page that contaions sessions, cookies etc. And, I want to build it as a microservice and deploy to a server. So, I believe 2FA might be a problem.
My questions:
Is there any more cost-effective way to get Admin SDK? Maybe, I am missing some feature in Firebase resources.
Can I mimic this button's behaviour without using any front-end scraping? Is there any precautions in Firebase servers to prevent this kind of solution.
If I do it in this way and deploy to a server, would 2FA be a problem? Can microservice work with 1-month valid sessions? Or, would it asks 2FA all the time that it works? (I have never used headless browsers etc. I just some basic web-scraping experience with Selenium.)
It looks like scraping is not necessary, gcloud CLI do the job. If you want to create Firebase projects and get service accounts programmatically do the steps below:
Create with firebase CLI: firebase projects:create --display-name "<project-name>" <project-id> (Or, probably you can create with gcloud CLI as well)
Change active project in gcloud CLI with gcloud config set project <project-id>
gcloud iam service-accounts list and store the EMAIL here. (There is just automatically created service account here, no private key created.)
Create and store the private key: gcloud iam service-accounts keys create key.json --iam-account= <EMAIL-you-stored>

How to I pass secrets stored in AWS Secret Manager to a Docker container in Sagemaker?

My code is in R. And I need to excess external database. I am storing database credentials in AWS Secret Manager.
So I first tried using paws library to get aws secrets in R but that would require storing access key, secret id and session token, and I want to avoid that.
Is there a better way to do this? I have created IAM role for Sagemaker. Is it possible to pass secrets as environment variables?
Edit: I wanted to trigger Sagemaker Processing
I found a simple solution to it. Env variables can be passed via Sagemaker sdk. It minimizes the dependencies.
https://sagemaker.readthedocs.io/en/stable/api/training/processing.html
As another answer suggested, paws can be used as well to get secrets from aws. This would be a better approach
You should be able to use Paws for this. According to documentation it will use the IAM role configured for your Sagemaker instance
If you are running the package on an instance with an appropriate IAM role, Paws will use it automatically and you don’t need to do anything extra.
You only have to add the relevant access permissions (e.g. Allow ssm:GetParameters) to the Sagemaker IAM role.

How Can I Obtain GCP service account credentials on Google Cloud Run?

This page explains both:
Obtaining and providing service account credentials manually for developing local, deploying on-premises, or deploying to another public cloud.
Obtaining credentials on Compute Engine, Kubernetes Engine, App Engine flexible environment, and Cloud Functions
But there is no mention of obtaining credentials on Cloud Run. I'd appreciate it if you give instructions for obtaining credentials and setting firebase-admin initializeApp and firebase initializeApp for authentication on Cloud Run.
The documentation suggests that you can use the default service account just like other Google Cloud products as described here. The Firebase Admin SDK should use that account when initialized with no parameters.
There are also steps described if you want to use a non-default service account, which you can simply configure in the console or provide with gcloud.
If you must provide a file that's readable at runtime, you will have to deploy an image with that file added to the image. There is no short set of steps to add that file - you will have to make your docker build include it in a readable location, and your code will know where to look for it in order to load it.

How to configure usage of AWS profile during amplify init?

During amplify init there is a question:
"Do you want to use AWS profile"
What is "AWS profile in this context"? When should i choose yes, and when no? What is the decision impact on the project?
After installation of AWS CLI, you can configure your CLI using aws configure command. You provide access key, secret access key and default region. Once you are done with this it creates a default profile for your CLI. All your aws commands use credentials from this default profile. Your amplify init command refers to this profile.
You can have multiple AWS profiles for your CLI to use.
Coming to your question.
1) If your aws default profile is configured for the same account where you want your amplify project to deploy you can say yes to that question.
2) If you are not sure what is there in your default profile you can opt for no and provide access key, secret key and other information by own.
Hope this will clear your doubt.

Resources