Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parameterize trust relationships for runner role #4247

Open
iataylor opened this issue Nov 8, 2024 · 4 comments
Open

Parameterize trust relationships for runner role #4247

iataylor opened this issue Nov 8, 2024 · 4 comments

Comments

@iataylor
Copy link

iataylor commented Nov 8, 2024

Overview : I need to have the ability to parameterize the trust relationships for the runner role. I'd like to add a config variable to take in JSON formatted trust relationships to add to the automatically generated runner role.

Use Case : Customizing this would allow me to assume the runner role to execute actions from different accounts. This is a consequence of moving from runners placed in individual accounts to centralizing our runners in a single AWS account. We're utilizing the old runner role infrastructure to allow access and management of resources from a central location. As of right now, we cannot actually edit this relationship, as it always has the default policy in this file.

I know this is an edge case, and not necessarily the best solution, but adding the capability should be a fairly minor change with no adverse effect on other users.

I'm happy to propose a fix myself, but I don't currently have permission to open a branch.
@npalm
Copy link
Member

npalm commented Nov 9, 2024

Do I understand your use-case correctly that you runners needs to call AWS api's and you want to have for that use-case the option to add trust relations. In that case I think it is much better to setup OIDC on your AWS accounts to assign the relation based on the job. Here an old blog of me to explain this in detail: https://040code.github.io/2022/12/02/oidc-part-1

@iataylor
Copy link
Author

That's pretty much what I need. I read through the blog you sent, which is super helpful! I'll take a crack at setting up OIDC, but it still may be helpful to have the ability to at least add trust relationships if necessary.

@avni-ef
Copy link

avni-ef commented Dec 31, 2024

I think it could be great if the trust policy would be configurable. Our self-hosted runners needs to manage our EKS cluster, and we're using IRSA for authentication, so configuring the runner role's trust policy directly would allow me to do this in a single hop.
But for now I'll just set up another role (with the trust policy I need for the EKS cluster), and allow the runner to assume that role. A bit clunky but I think it'll do the trick.

Great work btw!

@npalm
Copy link
Member

npalm commented Jan 10, 2025

Should be possible with oidc, in that case you can set the trust to the repo/branch/environment instead of the full runner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@npalm @iataylor @avni-ef