-
Suggestion
-
Resolution: Unresolved
-
None
-
5
-
2
-
Raising this improvement ticket based on a suggestion raised by a customer.
AWS API calls need to be authenticated with a key ID and Secret. These are the ones requested by Bamboo Elastic Instances configuration, in order to spin up EC2 instances on customer’s accounts.
The thing is, right now, only user keys, that are static are supported. There’s another method called “Assume Role”, in which every API call is made with a different, disposable key-secret pair. This is the method recommended by AWS, since it’s way more secure and easy to manage.
Other products that require AWS credentials from customer’s accounts already use this method with great success, such as Datadog and Sumologic.
The main point here is: this does not require major changes on your side, only to the authentication part.
More information can be found here:
- https://aws.amazon.com/blogs/aws/delegating-api-access-to-aws-services-using-iam-roles/
- http://docs.aws.amazon.com/IAM/latest/UserGuide/walkthru_cross-account-with-roles.html
- http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
- http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
It would be useful if the IAM Role could be specified when Configuring Elastic Bamboo.