create ephemeral user

this should help with the lack of support for OIDC in cloud-reaper
elastic · v1v · May 5, 2025 · May 5, 2025 · May 5, 2025 · May 5, 2025
commit 8042e94bbab4ddadb00d9367fa10df521fc8a862
@@ -52,12 +52,43 @@ any_resources_to_delete() {
     return 0
 }
 
+# As long as cloud reaper does not support OIDC authentication.
+create_aws_ephemeral_user() {
+    # Generate a unique name for the ephemeral IAM user.
+    EPHEMERAL_USER="ephemeral-admin-$(date +%s)"
+    echo "Creating IAM user: ${EPHEMERAL_USER}"
+    aws iam create-user --user-name "${EPHEMERAL_USER}" \
+        --tags Key=ephemeral,Value=true Key=division,Value=engineering Key=org,Value=obs Key=creation-date,Value="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+
+    echo "Attaching AdministratorAccess policy to ${EPHEMERAL_USER}..."
+    aws iam attach-user-policy --user-name "${EPHEMERAL_USER}" --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+
+    echo "Creating access keys for ${EPHEMERAL_USER}..."
+    creds_json=$(aws iam create-access-key --user-name "${EPHEMERAL_USER}")
+    AWS_ACCESS_KEY_ID_EPHEMERAL=$(echo "$creds_json" | jq -r '.AccessKey.AccessKeyId')
+    AWS_SECRET_ACCESS_KEY_EPHEMERAL=$(echo "$creds_json" | jq -r '.AccessKey.SecretAccessKey')
+    export EPHEMERAL_USER AWS_ACCESS_KEY_ID_EPHEMERAL AWS_SECRET_ACCESS_KEY_EPHEMERAL
+}
+
+# Define cleanup function to delete the ephemeral IAM user regardless of script outcome.
+cleanup_ephemeral_user() {
+    echo "Cleaning up ephemeral IAM user: ${EPHEMERAL_USER}"
+    aws iam detach-user-policy --user-name "${EPHEMERAL_USER}" --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+    key_id=$(echo "$creds_json" | jq -r '.AccessKey.AccessKeyId')
+    aws iam delete-access-key --user-name "${EPHEMERAL_USER}" --access-key-id "${key_id}"
+    aws iam delete-user --user-name "${EPHEMERAL_USER}"
+    echo "Ephemeral IAM user ${EPHEMERAL_USER} deleted."
+}
+trap cleanup_ephemeral_user EXIT
+
 cloud_reaper_aws() {
+    echo "--- Configuring ephemeral user"
+    create_aws_ephemeral_user
+
     echo "Validating configuration"
     docker run --rm -v "$(pwd)/.buildkite/configs/cleanup.aws.yml":/etc/cloud-reaper/config.yml \
-      -e AWS_ACCESS_KEY_ID \
-      -e AWS_SECRET_ACCESS_KEY \
-      -e AWS_SESSION_TOKEN \
+      -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID_EPHEMERAL" \
+      -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY_EPHEMERAL" \
       -e ACCOUNT_PROJECT="observability-ci" \
       -e CREATION_DATE="${DELETE_RESOURCES_BEFORE_DATE}" \
       "${CLOUD_REAPER_IMAGE}" \
@@ -68,14 +99,12 @@ cloud_reaper_aws() {
 
     echo "Scanning resources"
     docker run --rm -v "$(pwd)/.buildkite/configs/cleanup.aws.yml":/etc/cloud-reaper/config.yml \
-      -e AWS_ACCESS_KEY_ID \
-      -e AWS_SECRET_ACCESS_KEY \
-      -e AWS_SESSION_TOKEN \
+      -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID_EPHEMERAL" \
+      -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY_EPHEMERAL" \
       -e ACCOUNT_PROJECT="observability-ci" \
       -e CREATION_DATE="${DELETE_RESOURCES_BEFORE_DATE}" \
       "${CLOUD_REAPER_IMAGE}" \
         cloud-reaper \
-          --debug \
           --config /etc/cloud-reaper/config.yml \
           ${COMMAND} | tee "${AWS_RESOURCES_FILE}"
 }