hashicorp / boundary-plugin-aws Goto Github PK

Using dynamic host sets (AWS specifically, haven't tried the Azure one yet) in a large environment results in the following error:

{"id":"<REDACTED>","source":"https://hashicorp.com/boundary/4466e4d3c372/controller","specversion":"1.0","type":"error","data":{"error":"rpc error: code = Unknown desc = error running DescribeInstances for host set id \"<REDACTED>\": SerializationError: failed decoding EC2 Query response\n\tstatus code: 200, request id: 55f65e01-476e-4b4d-93b0-9e38b419b445\ncaused by: context deadline exceeded (Client.Timeout or context cancellation while reading body)","error_fields":{},"id":"<REDACTED>","version":"v0.1","op":"plugin.(SetSyncJob).syncSets","info":{"catalog id":"<REDACTED>","msg":"listing hosts"}},"datacontentype":"application/cloudevents","time":"2022-06-21T08:40:33.258736566Z"}

We tried splitting it into multiple host sets with different filters, still some queries timed out.
The biggest dynamic host sets we managed to produce were around 300 hosts. Some queries should've returned less hosts but timed out as well so host count might not be the only factor here.

Looking at the code it seems the DescribeInstances call uses the default HTTP client with the default timeout config. We're suggesting exposing some config to control the timeout of such calls.

Boundary version: 0.9
Setup: Docker on EC2 VMs

I have an AWS ECS cluster that I'd like to be able to SSH into via Boundary, but cannot configure the host set AWS plugin to select the proper address of the host node.

Each of my AWS ECS nodes has two private addresses, one for the host itself and one for what I assume is the CNI on the node. However, Boundary seems to always select the CNI address and not the host address. Both of these exist in the same subnet CIDR ranges, so using the preferred_endpoints with a CIDR specification will not help.

I have tried using the dns specification in preferred_endpoints with both dns:ip-* and dns:* but neither seem to work and I can't find any documentation for it so I'm not positive that is a proper option.

Is there anyway that I can configure it to select the proper address? Could the plugin check the address against the private DNS name and always prefer the one matching the host if no preferred_endpoints is set?

Am I missing something?

Description:

I am attempting to use Boundary CLI to create a dynamic host catalog using the AWS plugin. According to the documentation for the boundary-plugin-aws repository, it's mentioned that one can utilize a role ARN for credential rotation in addition to static credentials and environment variables.

However, I encountered issues when trying to implement this using following command.

boundary host-catalogs create plugin \
  -scope-id $PROJECT_ID \
  -plugin-name aws \
  -attr disable_credential_rotation=true \
  -attr region=us-east-1 \
  -secret access_key_id=env://BOUNDARY_ACCESS_KEY_ID \
  -secret secret_access_key=env://BOUNDARY_SECRET_ACCESS_KEY \
  -attr role_arn=env://BOUNDARY_ROLE_ARN

When attempting to include the role ARN attribute along with static access key and secret access key secrets, the command resulted in the following error:

desc = Error in the secrets provided: [attributes.role_arn: conflicts with access_key_id and
  secret_access_key values, secrets.access_key_id: conflicts with role_arn value,
  secrets.secret_access_key: conflicts with role_arn value]
  Status:              500

On the other hand, when omitting the static secrets and solely providing the role ARN attribute, the command yielded the following error:

desc = secrets are required
  Status:              500

This inconsistency makes it unclear whether role ARN can be effectively used instead of static secrets for credential rotation. Considering best practices and security concerns, utilizing role ARN for rotation would be preferable.

Could you please help clarify whether it's possible to use AWS IAM role ARN for credential rotation in the Boundary AWS plugin? If so, could you provide guidance on the correct usage or any potential workaround to address the errors encountered?

Thank you for your attention to this issue.

When creating a boundary_host_set_plugin resource through terraform, the name appearing on boundary is the ID of the host (ex: h_1gZVzevKl2) instead of the EC2 instance name (tag:Name).

When using the Terraform Boundary provider, we ran into an issue where the host catalog credentials cannot cycle because the old one is somehow missing.

Terraform Plan:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:
  # boundary_host_catalog_plugin.boundary will be updated in-place
  ~ resource "boundary_host_catalog_plugin" "boundary" {
        id                                         = "hc_ol8km8ltYy"
      ~ internal_force_update                      = "5577006791947779410" -> (known after apply)
      ~ name                                       = "" -> "boundary-hosts"
        # (9 unchanged attributes hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

Job succeeded

Terraform Apply:

Terraform Cloud has been successfully initialized!
$ cd boundary && terraform apply -input=false tfplan
boundary_host_catalog_plugin.boundary: Modifying... [id=hc_ol8km8ltYy]
╷
│ Error: error updating host catalog: {"kind":"Internal","message":"host_catalogs.(Service).updatePluginInRepo: unable to update host catalog: plugin.(Repository).UpdateCatalog: in hc_ol8km8ltYy: db.DoTx: plugin.(Repository).UpdateCatalog: unknown, unknown: error #0: rpc error: code = Unknown desc = error attempting to replace credentials: error deleting old access key: InvalidClientTokenId: The security token included in the request is invalid.\n\tstatus code: 403, request id: df801b17-dedf-4860-bf8d-b6d711476c84"}
│ 
│   with boundary_host_catalog_plugin.boundary,
│   on hosts.tf line 18, in resource "boundary_host_catalog_plugin" "boundary":
│   18: resource "boundary_host_catalog_plugin" "boundary" {
│ 
╵
ERROR: Job failed: exit code 1

I've tried manually deleting the Boundary user from IAM and rerunning plan and deploy a couple times to no avail. I don't know how to solve this without running a terraform destroy.

Right now it is impossible to use the AWS plugin without specifying a key via the API. When running boundary controllers on AWS instances this is a documented anti-pattern and the instance profile should be used instead.

What would it take to get this changed? I can put together a patch if there's good documentation around this.