Skip to content

KEH-2171: Assume Service Role via SSO #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hadiqur wants to merge 7 commits into
base: main
Choose a base branch
from
+61 −95
Open

KEH-2171: Assume Service Role via SSO #78

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0ea93d9
feat: service IAM role assumable via SSO
hadiqur May 20, 2026
fb641eb
chore: update README
hadiqur May 21, 2026
a4d39a4
chore: update README
hadiqur May 21, 2026
6813d3e
chore: update dependencies
hadiqur May 21, 2026
5e06f1b
chore: markdown linting
hadiqur May 21, 2026
c52e879
Merge branch 'main' of https://github.com/ONS-Innovation/github-copil…
hadiqur May 21, 2026
29363b8
chore: resolve further markdown lint errors
hadiqur May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 42 additions & 20 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,23 +95,39 @@ To run the Lambda function outside of a container, we need to execute the `handl

**Please Note:** If uncommenting the above in `main.py`, make sure you re-comment the code _before_ pushing back to GitHub.

2. Export the required environment variables:
2. Sign in with AWS SSO, and export the correct profile for this service:

```bash
export AWS_ACCESS_KEY_ID=<aws_access_key_id>
export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
export AWS_DEFAULT_REGION=eu-west-2
export AWS_SECRET_NAME=<aws_secret_name>
export GITHUB_ORG=ONSDigital
export GITHUB_APP_CLIENT_ID=<github_app_client_id>
export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
```
```bash
aws sso login

3. Run the script.
export AWS_PROFILE=github-copilot-usage-lambda
```

```bash
python3 src/main.py
```
This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile.

**Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine.

3. Export the required environment variables:

```bash
export AWS_DEFAULT_REGION=eu-west-2
export AWS_SECRET_NAME=<aws_secret_name>
export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
export GITHUB_ORG=ONSDigital
export GITHUB_APP_CLIENT_ID=<github_app_client_id>
```

4. Run the script.

```bash
python3 src/main.py
```

5. To exit the profile:

```bash
unset AWS_PROFILE
```

### Running in a container

Expand All @@ -133,14 +149,20 @@ To run the Lambda function outside of a container, we need to execute the `handl
| --------------------------- | ------ | ------------ | -------------- | ----- |
| copilot-usage-lambda-script | latest | 0bbe73d9256f | 11 seconds ago | 224MB |

3. Run the image locally mapping local host port (9000) to container port (8080) and passing in AWS credentials to download a .pem file from the AWS Secrets Manager to the running container. These credentials will also be used to upload and download `historic_usage_data.json` to and from S3.
3. Sign in with AWS SSO:

```bash
aws sso login
```

**Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine. This is essential as the `~/.aws` directory is mounted to the container, so it can use the SSO session for AWS authentication.

The credentials used in the below command are for a user in AWS that has permissions to retrieve secrets from AWS Secrets Manager and upload and download files from AWS S3.
4. Run the image locally mapping local host port (9000) to container port (8080).

```bash
docker run --platform linux/amd64 -p 9000:8080 \
-e AWS_ACCESS_KEY_ID=<aws_access_key_id> \
-e AWS_SECRET_ACCESS_KEY=<aws_secret_access_key> \
-v ~/.aws:/root/.aws \
-e AWS_PROFILE=github-copilot-usage-lambda \
-e AWS_DEFAULT_REGION=eu-west-2 \
-e AWS_SECRET_NAME=<aws_secret_name> \
-e GITHUB_ORG=ONSDigital \
Expand All @@ -151,15 +173,15 @@ To run the Lambda function outside of a container, we need to execute the `handl

Once the container is running, a local endpoint is created at `localhost:9000/2015-03-31/functions/function/invocations`.

4. Post to the endpoint to trigger the function
5. Post to the endpoint to trigger the function

```bash
curl "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{}'
```

This should return a message if successful.

5. Once testing is finished, stop the running container
6. Once testing is finished, stop the running container

To check the container is running

Expand Down
10 changes: 5 additions & 5 deletions poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

70 changes: 14 additions & 56 deletions terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,20 @@ resource "aws_iam_role" "lambda_function_role" {
Principal = {
Service = "lambda.amazonaws.com"
}
},
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${var.aws_account_id}:root"
}
Condition = {
ArnLike = {
"aws:PrincipalArn" = [
"arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_Standard_Administrator_Access_*"
]
}
}
}
]
})
Expand Down Expand Up @@ -138,59 +152,3 @@ resource "aws_cloudwatch_log_group" "loggroup" {
name = "/aws/lambda/${aws_lambda_function.lambda_function.function_name}"
retention_in_days = var.log_retention_days
}

# IAM User Group
resource "aws_iam_group" "group" {
name = "${var.env_name}-${var.lambda_name}-user-group"
path = "/"
}

resource "aws_iam_group_policy_attachment" "group_vpc_permissions_attachment" {
group = aws_iam_group.group.name
policy_arn = aws_iam_policy.vpc_permissions.arn
}

resource "aws_iam_group_policy_attachment" "group_lambda_logging_attachment" {
group = aws_iam_group.group.name
policy_arn = aws_iam_policy.lambda_logging.arn
}

resource "aws_iam_group_policy_attachment" "group_lambda_s3_policy_attachment" {
group = aws_iam_group.group.name
policy_arn = aws_iam_policy.lambda_s3_policy.arn
}

resource "aws_iam_group_policy_attachment" "group_lambda_secret_manager_policy_attachment" {
group = aws_iam_group.group.name
policy_arn = aws_iam_policy.lambda_secret_manager_policy.arn
}

resource "aws_iam_group_policy_attachment" "group_lambda_eventbridge_policy_attachment" {
group = aws_iam_group.group.name
policy_arn = aws_iam_policy.lambda_eventbridge_policy.arn
}

# IAM User
resource "aws_iam_user" "user" {
name = "${var.env_name}-${var.lambda_name}"
path = "/"
}

# Assign IAM User to group
resource "aws_iam_user_group_membership" "user_group_attach" {
user = aws_iam_user.user.name

groups = [
aws_iam_group.group.name
]
}

# IAM Key Rotation Module
module "iam_key_rotation" {
source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.1"

iam_username = aws_iam_user.user.name
access_key_secret_arn = aws_secretsmanager_secret.access_key.arn
secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn
rotation_in_days = 45
}
14 changes: 0 additions & 14 deletions terraform/secrets.tf
View file
Open in desktop

This file was deleted.

Loading