This module will provision AWS Lambda function and AWS API Gateway to retrieve temporary STS credential from assumed-role ARN

It will be useful when we need to enable AWS resource access to services / entities running outside of AWS.

• Terraform AWS Lambda STS
  • Table of Content
  • Prerequisites
    • Default
    • Custom Domain
  • Dependencies
  • Quick Start
    • Sample Request and Response
  • Limitation
  • Contributing
  • Contributor
  • License
  • Acknowledgments

• IAM Roles with required IAM policies.
• Configure Trusted Relationship in assumed IAM Roles after lambda function provisioned

Aside of default prerequisites, here are some additional resource to be provisioned prior this module usage:

• Route53 Zone for domain name
• Access to us-east-1 aws region

• Terraform version 0.11.x.
• awsudo to assume role in AWS
• Visual Studio Code is the best editor for the Terraform Extension. After install activate auto format by go toFile→Preferences→Settings. ChooseText Editor→Formattingand checkFormat on Save
• pre-commit-terraform

• Install dependencies
• Execute pre-commit install
• Go to examples and go to each scenario
• Follow instruction in README.md

Request:

curl -X POST \
  https://<INVOKE URL of API Gateway> \
  -H 'Content-Type: application/json' \
  -d '{
	"assumed_role_arn" : "arn:aws:iam::XXXXXXXXXXXX:role/crossaccount/XXXXXXXXXXXX/XXXXXXXXXXXX-XXXXXXXXXXXX",
	"token_duration" : 1800,
        "external_id" : "XXXXXXXXXXXX",
	"expiry_window" : 10
}'

Response:

{
  "Version": 1,
  "AccessKeyId": "XXXXXXXXXXXX",
  "SecretAccessKey": "XXXXXXXXXXXX",
  "SessionToken": "XXXXXXXXXXXX",
  "Expiration": "2019-12-08T16:18:03Z"
}

assumed_role_arn is mandatory field. And should be filled with ARN of IAM role that you want to get credentials from.

If omitted, token_duration and expiry_window will have 3600 and 0 as default value.

external_id is optional when you configured it in IAM role trust_relationship.

See:

• AssumeRoleProvider
• External ID for IAM Role

Session Duration Limit for Role chaining

Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour. 
When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. 
You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role.
However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.

Check contribution guide in CONTRIBUTING.md

For question, issue, and pull request you can contact these people:

• Frans Caisar Ramadhan (Author)

See the LICENSE

This repository was made possible by getting inspirations from below parties:

• Readme Template
• Friendly Readme
• Opensource Guide
• Github Repository Template
• Inspiration from other open source projects