Extension API support

[XargsUK]

Solid role switch implementation, checked out this repo after seeing one of your messages in an issue on AESR.

A feature which I've developed on top of from AESR was the ability to push AWS configs from one extention to AESR's API. For example, in https://github.com/XargsUK/aesr-s3-config-sender, I use AWS Cognito is used to authenticate with the user pool, gets tokens, then uses the tokens to GetObject from S3, and that config is then passed to AESR; which allows a team of engineers to sync the latest configurations without having to manually download the latest config and update it in AESR.

This wouldn't be possible without the AESR Extension API: https://github.com/tilfinltd/aws-extend-switch-roles/wiki/External-API

It would be really useful to see some implementation which would allow other extensions to push configs into this extension.

[janstuemmel]

Sounds interesting.

I'am not really sure how this would be implented here tho...

• Roles from outside should be merged with configured roles, not overridden...
• When does a config sender "push" the new roles into this extension, on browser start or any time?
• Can we have a "pull" mechanism too? Not really sure if that works with web extensions...
• Which storage should be used. Maybe session-storage? Or local storage?
• Are there other options instead of having a sidecar exetnsion? Are sidecar extensions a proper solution to this problem?

[XargsUK]

Roles from outside should be merged with configured roles, not overridden...

I agree. I think in the other project that was just to get around having to deal with duplicates.

When does a config sender "push" the new roles into this extension, on browser start or any time?

Stuff like this really is up to the user. if they want to push the new config 1 time a year, or 1000 times a day, this is something that the other extension would handle.

Can we have a "pull" mechanism too? Not really sure if that works with web extensions...

Depends on the source

Which storage should be used. Maybe session-storage? Or local storage?

Unsure what this is in reference to.

Are there other options instead of having a sidecar exetnsion? Are sidecar extensions a proper solution to this problem?

It's a solution to those who want to integrate with the extension if they have unique requirements. For example, in our AWS environment, we have a lambda which automatically generates AWSCLI configs and the switch role configs for the entire organization and other organizations we look after to a file in an S3 bucket. We don't use user accounts in the org, but rather use STS with Azure AD, which assumes a role (so we can't just create a token to get the file from S3 on a per person basis).

In an ideal world, there would be some default, easy to integrate methods of having configs update. Google Drive, S3, etc. but also at least a method for other developers to integrate.

The problem statement for me is:

• Large team of engineers need to have an up-to-date switch roles configuration
• These configurations are stored in S3 as they are generated by a lambda
• I want to remove the need for engineers to have to log into AWS, open the S3 bucket with the config, download, open, go into the extension and update the config. People get lazy with updating their configs, and end up missing a load of AWS accounts for customers we manage.

There will be loads of other unique challenges people will have with this, and developing for all of them isn't fesible, so having an API at least allows people to extend for their own usecases.

Hope the above adds some context! :)

[janstuemmel]

I agree. I think in the other project that was just to get around having to deal with duplicates.

I think it's up to the user to avoid duplicates.

Unsure what this is in reference to.

The external config has to be stored somewhere temporarly. I could image this place should be local or session storage, not sync storage as it is alredy stored remotly. A datamodel coud look like this

// session store
{
  "external_configs": {
      // configs per external extension id
      "<extension_id>": {
        active: true,
        config: "[my-role]\naws_account_id=123\n..."
      }
  }
}

It's a solution to those who want to integrate with the extension if they have unique requirements. For example, in our AWS environment, we have a lambda which automatically generates AWSCLI configs and the switch role configs for the entire organization and other organizations we look after to a file in an S3 bucket. We don't use user accounts in the org, but rather use STS with Azure AD, which assumes a role (so we can't just create a token to get the file from S3 on a per person basis).

In an ideal world, there would be some default, easy to integrate methods of having configs update. Google Drive, S3, etc. but also at least a method for other developers to integrate.

The problem statement for me is:

• Large team of engineers need to have an up-to-date switch roles configuration

• These configurations are stored in S3 as they are generated by a lambda

• I want to remove the need for engineers to have to log into AWS, open the S3 bucket with the config, download, open, go into the extension and update the config. People get lazy with updating their configs, and end up missing a load of AWS accounts for customers we manage.

There will be loads of other unique challenges people will have with this, and developing for all of them isn't fesible, so having an API at least allows people to extend for their own usecases.

Hope the above adds some context! :)

Yes. Thanks.

You have a very specific usecase tho. A common usecase would be to get a config from a http url with basic auth or something.

But i'll definitly look into this...

ref

• https://developer.chrome.com/docs/extensions/mv3/messaging/

[janstuemmel]

I tried moving events between a sidecar extension and aws-role-switch. It's pretty easy so far.

• Demo Repo for sidevar extension: janstuemmel/aws-role-switch-http-sidecar
• Draft PR for aws-role-switch: janstuemmel/aws-role-switch/pull/254

What we need i guess:

• Some kind of authentication. I do not like to manually copy the sidecar extension id into aws-role-switch. Maybe we could open a popup and ask for permission? It's maybe a dedicated event sent from the sidecar right after extension installation?!
• Saving the config is mandatory i think. Local store would be the right choice to persist already sent configs. Because it's completly up to the extension when it sends the config, so we keep a copy of the config always in local storage.
• We need a little gui list with external extensions. I want to be able to delete added sidecars or disable them.