Skip to content

Commit

Permalink
Merge pull request #3 from electrolux-oss/2/IAM-user-optional
Browse files Browse the repository at this point in the history
#2 make IAM user optional, add docs about this
  • Loading branch information
gluckzhang authored Jun 5, 2024
2 parents 63427d7 + 605e4a7 commit 33aadb2
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 10 deletions.
10 changes: 6 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ The configuration schema of InfraWallet is defined in the [plugins/infrawallet-b

#### AWS

For AWS, InfraWallet relies on an IAM role to fetch cost and usage data using AWS Cost Explorer APIs. Thus before adding the configurations, AWS IAM user, role, and policy need to be set up. If you have multiple AWS accounts, you can reuse the IAM user in one account and grant the necessary permissions to the role in each account. The role to be assumed in an AWS account needs the following permission:
For AWS, InfraWallet relies on an IAM role to fetch cost and usage data using AWS Cost Explorer APIs. Thus before adding the configurations, AWS IAM role and policy need to be set up. If you have multiple AWS accounts, you should create a role in each account and configure trust relationships for it. The role to be assumed in an AWS account needs the following permission:

```json
{
Expand All @@ -50,10 +50,12 @@ backend:
- name: <unique_name_of_this_account>
accountId: '<12-digit_account_ID>' # quoted as a string
assumedRoleName: <name_of_the_AWS_IAM_role_to_be_assumed>
accessKeyId: <access_key_ID_of_AWS_IAM_user_that_assumes_the_role>
accessKeySecret: <access_key_secret_of_AWS_IAM_user_that_assumes_the_role>
accessKeyId: <access_key_ID_of_AWS_IAM_user_that_assumes_the_role> # optional, only needed when an IAM user is used to assume the role
accessKeySecret: <access_key_secret_of_AWS_IAM_user_that_assumes_the_role> # optional, only needed when an IAM user is used to assume the role
```
The AWS client in InfraWallet is implemented using AWS SDK for JavaScript. If `accessKeyId` and `accessKeySecret` are defined in the configuration, it uses the configured IAM user to assume the role. Otherwise, the client follows the credential provider chain documented [here](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials-node.html#credchain).

#### Azure

In order to manage Azure costs, an application needs to be registered on Azure. InfraWallet is only tested with subscription-level cost data. After creating the application, users need to go to the `Subscriptions` page, choose the target subscription and then visit the `Access control (IAM)` page. Assign the `Cost Management Reader` role to the created application. Create a new client secret for the application, and add the following configurations in `app-config.yaml`:
Expand Down Expand Up @@ -253,7 +255,7 @@ When adding a new cloud vendor, you need to implement a client based on the inte

## Roadmap

- [ ] Make IAM user optional for AWS credentials
- [x] Make IAM user optional for AWS credentials
- [ ] Support filters besides grouping bys
- [ ] Support Google Cloud Costs
- [ ] WebUI for managing category mappings
Expand Down
4 changes: 2 additions & 2 deletions plugins/infrawallet-backend/config.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ export interface Config {
name: string;
accountId: string;
assumedRoleName: string;
accessKeyId: string;
accessKeySecret: string;
accessKeyId?: string;
accessKeySecret?: string;
tags?: string[];
},
];
Expand Down
2 changes: 1 addition & 1 deletion plugins/infrawallet-backend/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@electrolux-oss/plugin-infrawallet-backend",
"version": "0.1.0",
"version": "0.1.1",
"backstage": {
"role": "backend-plugin"
},
Expand Down
14 changes: 11 additions & 3 deletions plugins/infrawallet-backend/src/service/AwsClient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -53,14 +53,22 @@ export class AwsClient implements InfraWalletApi {
});
const categoryMappings = await getCategoryMappings(this.database, 'aws');

const promise = (async () => {
const client = new STSClient({
let stsParams = {};
if (accessKeyId && accessKeySecret) {
stsParams = {
region: 'us-east-1',
credentials: {
accessKeyId: accessKeyId as string,
secretAccessKey: accessKeySecret as string,
},
});
};
} else {
stsParams = {
region: 'us-east-1',
};
}
const promise = (async () => {
const client = new STSClient(stsParams);
const commandInput = {
// AssumeRoleRequest
RoleArn: `arn:aws:iam::${accountId}:role/${assumedRoleName}`,
Expand Down

0 comments on commit 33aadb2

Please sign in to comment.