Assumable Roles

Overview

IAM roles in AWS enable administrators to control user and group access to AWS resources, such as external datasets stored in Amazon S3 buckets without the need to share sensitive secrets, such as access keys or passwords.

By leveraging assumable roles, administrators can define fine-grained access permissions, enforce security best practices, and maintain control over data access. This approach enhances security, reduces the risk of unauthorized access, and promotes a least privilege access model for accessing S3 data within Code Ocean.

Configuration

Part 1 - AWS

IAM

• Create a new IAM role of type "Custom Trust Policy" - .

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<aws_account_id>:root",
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

• Create and attach an ECS AssumeRole policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
          "Action": [
            "iam:PassRole"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "iam:PassedToService": [
                "ecs-tasks.amazonaws.com"
              ]
            }
          }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        }
    ]
}

• Attach Code Ocean's batch job policy [CodeOcean-Stack-Name]-BatchJobPolicy-*******. Code Ocean's batch job policy is used to grant the necessary permissions to run pipelines in Code Ocean

CloudFormation

• Go to Code Ocean deployment stack under "CloudFormation" console, Click on "Update".

• Use current template for the update of the stack, Click "Next".

• In the "IAM Configuration" Parameter section -> "Assumable IAM roles" parameter, enter the IAM role ARN that you want to let CodeOcean the ability to assume. If you want to insert more then one role, use commas to delimit between them.

Part 2 - Identity Provider

• Add Custom attributes to your User/Group profile:

  • Role (string).

  • SessionDuration (int - seconds).

• Assign an IAM role to a User/Group by filling the Role and SessionDuration attributes in their profile.

• Add the Role, SessionDuration and Primary email attributes to the SAML attribute mapping:

Example - Google Workspace:

1. Open the Admin console.

2. Go to "Directory" -> Users and press on "More Options" -> "Configure custom attributes".

3. Add the attributes:
4. Go to a User profile -> "User Information" -> Add the Role and SessionDuration attributes under the AWS tab:
5. Go to your CodeOcean custom SAML app under "Web and Mobile Apps" -> Edit the "SAML Attribute Mapping" section:

Conclusion

By following the outlined steps, you can enhance the security and control of accessing AWS resources within Code Ocean. IAM roles provide administrators with fine-grained access permissions, allowing users to interact with external datasets stored in Amazon S3 buckets without compromising sensitive credentials. Leveraging assumable roles, you can enforce security best practices and maintain control over data access.