Assumable Roles
Learn how to configure AWS Assumable roles in CodeOcean
Overview
IAM roles in AWS enable administrators to control user and group access to AWS resources, such as external datasets stored in Amazon S3 buckets without the need to share sensitive secrets, such as access keys or passwords.
By leveraging assumable roles, administrators can define fine-grained access permissions, enforce security best practices, and maintain control over data access. This approach enhances security, reduces the risk of unauthorized access, and promotes a least privilege access model for accessing S3 data within Code Ocean.
Configuration
Part 1 - AWS
IAM
Create a new IAM role of type "Custom Trust Policy" - AWS guide.
Create and attach an ECSAssumeRole policy:
Create and attach A policy that grants access to S3 (Read/Write) - AWS guide
Attach Code Ocean's batch job policy
[CodeOcean-Stack-Name]-BatchJobPolicy-*******
. Code Ocean's batch job policy is used to grant the necessary permissions to run pipelines in Code Ocean
CFN
Go to Code Ocean deployment stack under "CloudFormation" console, Click on "Update".
Use current template for the update of the stack, Click "Next".
In the "IAM Configuration" Parameter section -> "Assumable IAM roles" parameter, enter the IAM role ARN that you want to let CodeOcean the ability to assume. If you want to insert more then one role, use commas to delimit between them.
You can pre configure the roles during stack update even if the roles do not yet exist.
Part 2 - Identity Provider
Add Custom attributes to your User/Group profile:
Role (string).
SessionDuration (int - seconds).
Assign an IAM role to a User/Group by filling the Role and SessionDuration attributes in their profile.
Create a custom SAML app for CodeOcean and configure CodeOCean's authentication method to SAML SSO - How To
Add the Role, SessionDuration and Primary email attributes to the SAML attribute mapping:
SessionDuration -> https://aws.amazon.com/SAML/Attributes/SessionDuration
Primary email -> https://aws.amazon.com/SAML/Attributes/RoleSessionName
Example - Google Workspace:
Open the Admin console.
Go to "Directory" -> Users and press on "More Options" -> "Configure custom attributes".
Add the attributes:
Go to a User profile -> "User Information" -> Add the Role and SessionDuration attributes under the AWS tab:
Go to your CodeOcean custom SAML app under "Web and Mobile Apps" -> Edit the "SAML Attribute Mapping" section:
Go back to the main app page, click on the "User access" section and activate the "Service status":
Conclusion
By following the outlined steps, you can enhance the security and control of accessing AWS resources within Code Ocean. IAM roles provide administrators with fine-grained access permissions, allowing users to interact with external datasets stored in Amazon S3 buckets without compromising sensitive credentials. Leveraging assumable roles, you can enforce security best practices and maintain control over data access.
Last updated