Add Support for IAM Roles Anywhere CreateSession

[rittneje]

Describe the feature

Add native support for CreateSession to the SDK.

Use Case

We would like to leverage IAM Roles Anywhere to "bootstrap" AWS credentials into our external services that are written in C#. We are unable to use the precanned credential_process binaries.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS .NET SDK and/or Package version used

n/a

Targeted .NET Platform

.NET Standard 2.0

Operating System and version

Windows, Linux

[ashishdhingra]

Hi @rittneje,

Good afternoon.

The link https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html talks about downloading the external utility for signing process using it in conjunction with credential-process. This returns the same output structure as returned by the credentials_process mentioned in Sourcing credentials with an external process. May be you could setup the IAM roles anywhere credentials helper to be executed as part of batch program (on Windows) and specify that batch program with parameters in the credentials file:

[profile developer]
credential_process = <<path-to-credentials-helper-batch-program>> --certificate <<path-to-certificate-file>> ...

How is this implemented in other SDK(s)? As per above reference links, you intend to call the external helper tool that returns temporary credentials. This external helper could be used with credential_process setting in credentials file.

Thanks,
Ashish

[rittneje]

@ashishdhingra We cannot run an external binary like that, which is why I'd like the SDK to do it natively instead.

How is this implemented in other SDK(s)?

AFAIK it is not currently implemented in any SDKs, since the expectation from AWS was everyone would outsource to it as a credential process. However, as I mentioned that is neither feasible nor desirable for us. Instead the functionality within that binary should be ported into all the SDKs as a first-class feature.

[ashishdhingra]

@ashishdhingra We cannot run an external binary like that, which is why I'd like the SDK to do it natively instead.

How is this implemented in other SDK(s)?

AFAIK it is not currently implemented in any SDKs, since the expectation from AWS was everyone would outsource to it as a credential process. However, as I mentioned that is neither feasible nor desirable for us. Instead the functionality within that binary should be ported into all the SDKs as a first-class feature.

@rittneje There is specification around this as far as we are aware of. This needs to be discussed with the team, probably a cross-SDK feature request.

[lee-11]

Likewise, when creating applications to run on remote devices I would like to make use of IAM Roles Anywhere to authenticate all calls made via the SDK without managing a dependency manually or altering my existing SDK client code.

The overhead of manually install and update a separate executable dependency is burdensome. I don't need to do that in general (that is, if I use keys they are automatically discovered on storage or in the environment). Likewise, when using SSO authentication I don't need to alter my code to make use of credentials generated by aws sso login (which I don't expect to be directly supported in the SDK since human involvement is necessary).

I appreciate that a credential provider is being made available, and understand that it's necessary to identify that a given profile should make use of a certificate at a given location, but it seems a convention-based approach (certificate file name/location) would work as well. Bundling support for certificate based authentication into the SDK (likely as a new nuget package as was done with AWSSDK.SSO) would make adoption much easier.

[bhsdodo]

Any updates on this issue?

[dylanbartley]

Is there an update on this? I have tried to replicate the functionality in .netstandard2.0 following instructions from https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html. with no luck

as well as trying to understand the go implementation https://github.com/aws/rolesanywhere-credential-helper. which doesn't work for and i don't know enough about go to make it work.

[TomTum89]

When will this resolved?

[salrashid123]

i uploaded a small library here in go that does this exchange....its not going to help out much in this case since you're asking about .net support and for something official from aws.

• https://github.com/salrashid123/aws_rolesanywhere_signer

(disclaimer, i rarely use aws and only recently came across this capability so the library there is just a proof of concept, thats all; suggestion are welcome)

[dylanbartley]

forgot to return and update this thread. I did up creating a .NET library for this.

SaiphIamRolesAnywhere

[krnbr]

I recently did one POC with regards to this. First of all thanks to AWS! Awesome service - AWS IAM roles anywhere.

I am more of a java + spring boot developer, So leveraged that tech and did a custom provider based on AWS's internal classes etc.

Though the piece of code I did is not perfect(comparing to awesome AWS SDKs - majorly it is inspired from them only)!

The link to the blog post is here

Suggestions to the team is a custom AWS provider where it can accept

• cert, keys as base64 strings or as an alternative as a file location.
• important ARNs relating to role, trust anchor, profile, etc.
• region
• duration of session

The piece of POC I did, covered the following important scenarios:-

• supports EC and RSA keys
• supports chained EC and RSA keys, only one level of intermediate CA as of date.
• auto refreshes the temporary credentials, just before expiry of the existing credentials, majorly inspired from STS's providers.

This way I can fetch IAM roles anywhere sessions based temporary credentials without creating a complex custom image/ server that depends of heavily on CLI or signing helper.