roadiehq / backstage-plugin-aws-auth Goto Github PK

Can you please help me out with the AWS credentials?

1. Where I should update this? in which file ? or do I need to create new file and update this snippet

async function generateCredentials(backendUrl: string) {
  const reqBody = JSON.stringify({ RoleArn: 'arn:aws:iam::0123456789012:role/Example' });
  const resp = await (await fetch(`${backendUrl}/aws/credentials`, { body: reqBody })).json();
  return new AWS.Credentials({
    accessKeyId: resp.AccessKeyId,
    secretAccessKey: resp.SecretAccessKey,
    sessionToken: resp.SessionToken,
  });
}
AWS.config.credentials = await generateCredentials(backendUrl);

2. where I can store my AWS credentials? what file or any new file I need to create?

Clear instructions would be very helpful, as I am getting errors with my own steps.

Currently creds are needed to be exported as env variables. Modify initialization logic to use AWS preferred functionality to go through the default AWS credential provider chain instead.
See: https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials-node.html

Feature Suggestion

In a environment with multiple VPC's it would be ideal to be able to authenticate using IAM Groups

Possible Implementation

Context

It would be great to have this plugin support role switching when operating within an AWS organization. It's pretty rare that all your resources are contained within the same AWS account, and I'd like to be able to access other accounts without needing to change the AWS keys available in the keychain for each call.

Feature Suggestion

For something like the (backstage-plugin-aws-lambda)[https://github.com/RoadieHQ/backstage-plugin-aws-lambda] project, if we could provide a roleArn directive to the metadata annotations, and the backend AWS auth would use the default credentials to assume the role before attempting the API call, we'd be able to safely do cross-account AWS API calls.

For example

metadata:
  annotations:
    aws.com/role-arn: arn:aws:iam::123456789012:role/Backstage
    aws.com/lambda-function-name: HelloWorld
    aws.com/lambda-region: us-east-1

The plugin would use the existing credentials chain available to it, and use the assumeRole functionality within STS to get temporary credentials to use for the subsequent getFunctionByName call.

Extending generateCredentials