Assumable Roles

Learn how to configure AWS Assumable roles in CodeOcean

Overview

IAM roles in AWS enable administrators to control user and group access to AWS resources, such as external datasets stored in Amazon S3 buckets without the need to share sensitive secrets, such as access keys or passwords.

By leveraging assumable roles, administrators can define fine-grained access permissions, enforce security best practices, and maintain control over data access. This approach enhances security, reduces the risk of unauthorized access, and promotes a least privilege access model for accessing S3 data within Code Ocean.

Configuration

Part 1 - AWS

IAM

  • Create a new IAM role of type "Custom Trust Policy" - AWS guide.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<aws_account_id>:root",
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
  • Create and attach an ECSAssumeRole policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
          "Action": [
            "iam:PassRole"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "iam:PassedToService": [
                "ecs-tasks.amazonaws.com"
              ]
            }
          }
        }
    ]
}
  • Create and attach A policy that grants access to S3 (Read/Write) - AWS guide

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        }
    ]
}
  • Attach Code Ocean's batch job policy [CodeOcean-Stack-Name]-BatchJobPolicy-*******. Code Ocean's batch job policy is used to grant the necessary permissions to run pipelines in Code Ocean

CFN

  • Go to Code Ocean deployment stack under "CloudFormation" console, Click on "Update".

  • Use current template for the update of the stack, Click "Next".

  • In the "IAM Configuration" Parameter section -> "Assumable IAM roles" parameter, enter the IAM role ARN that you want to let CodeOcean the ability to assume. If you want to insert more then one role, use commas to delimit between them.

You can pre configure the roles during stack update even if the roles do not yet exist.

Part 2 - Identity Provider

Example - Google Workspace:

  1. Open the Admin console.

  2. Go to "Directory" -> Users and press on "More Options" -> "Configure custom attributes".

  3. Add the attributes:

  4. Go to a User profile -> "User Information" -> Add the Role and SessionDuration attributes under the AWS tab:

  5. Go to your CodeOcean custom SAML app under "Web and Mobile Apps" -> Edit the "SAML Attribute Mapping" section:

  6. Go back to the main app page, click on the "User access" section and activate the "Service status":

Conclusion

By following the outlined steps, you can enhance the security and control of accessing AWS resources within Code Ocean. IAM roles provide administrators with fine-grained access permissions, allowing users to interact with external datasets stored in Amazon S3 buckets without compromising sensitive credentials. Leveraging assumable roles, you can enforce security best practices and maintain control over data access.

Last updated