Use AWS IAM Roles as Octopus AWS Accounts
When creating an Octopus AWS Account (https://octopus.com/docs/infrastructure/deployment-targets/aws) you currently need to enter an AWS Access Key and Secret Key. This means the corresponding AWS Access Key needs to be periodically rotated, creating some management overhead and potential security vulnerabilities. Rather than an AWS Access Key and Secret Key, if we were able to enter an AWS IAM Role that is assumed whenever that Octopus AWS Account is used, then we would no longer need to manage AWS Access Keys.
In the background, Octopus Deploy would need to set it up so that the AWS IAM Role is assumed and temporary credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/idcredentialstemp_use-resources.html) are created whenever the corresponding Octopus AWS Account is used by a deploy process.
As for the credentials that are used to assume the AWS IAM Role, I would expect that the AWS service role for EC2 instances running the Octopus Deploy server / workers is used by default to assume the AWS IAM Role. And if Octopus is not running on EC2 instances, maybe as part of the creation of the Octopus AWS Account, when specifying the AWS IAM Role to assume, you could specify another Octopus AWS Account to use to assume that role. That way you could maintain a single AWS IAM User and Access Key, and then that user would be used to assume the AWS IAM Roles.
As an example, you could setup the Octopus Deploy server / workers EC2 role (or an IAM user) policy as follows:
Name: octopus-deploy-server
https://gist.github.com/burck1/5469acbff31b71fa69ef8d91c4426e50
Then when creating the AWS IAM Role that will be assumed as part of the deployment you would:
1. Setup the Trust Relationship as:
Name: octopus-deploy-my-project-deployer
https://gist.github.com/burck1/5469acbff31b71fa69ef8d91c4426e50
2. Setup the AWS IAM Role policy to have access to whatever AWS resources needed.
Note: This feature would also allow cross-account access as AWS IAM Roles can be assumed within other accounts.

EC2 instance roles and secondary IAM roles can be assumed in AWS steps and for EKS clusters (new in 2020.4). The blog post at https://octopus.com/blog/aws-iam-roles has more details.
1 comment
-
Matthew Casperson commented
We have a blog post describing how IAM roles can be used within deployments: https://octopus.com/blog/aws-iam-roles