-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release-22.2: cloud/amazon: support external ID in AWS assume role #96531
Conversation
Support passing in the optional external ID when assuming a role. This is done by extending the values of the comma-separated string value of the ASSUME_ROLE parameter to the format `<role>;external_id=<id>`. Users can still use the previous format of just `<role>` to specify a role without any external ID. When using role chaining, each role in the chain can be associated with a different external ID. For example: `ASSUME_ROLE=<roleA>;external_id=<idA>,<roleB>;external_id=<idB>,<roleC>` will use external ID `<idA>` to assume delegate `<roleA>`, then use external ID `<idB>` to assume delegate `<roleB>`, and finally no external ID to assume the final role `<roleC>`. Additional documentation about external IDs can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html Release note (enterprise change): Support passing in the optional external ID when assuming a role. This is done by extending the values of the comma-separated string value of the ASSUME_ROLE parameter to the format `<role>;external_id=<id>`. Users can still use the previous format of just `<role>` to specify a role without any external ID. When using role chaining, each role in the chain can be associated with a different external ID. For example: `ASSUME_ROLE=<roleA>;external_id=<idA>,<roleB>;external_id=<idB>,<roleC>` will use external ID `<idA>` to assume delegate `<roleA>`, then use external ID `<idB>` to assume delegate `<roleB>`, and finally no external ID to assume the final role `<roleC>`.
Thanks for opening a backport. Please check the backport criteria before merging:
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
Add a brief release justification to the body of your PR to justify this backport. Some other things to consider:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While not guarded by a cluster setting, this code is "opt in" in the sense that users would need to specify a new external storage connection string to use it.
In a mixed-version cluster, it appears that users using the old syntax will still work because we populate both the new and old protobuf fields. If a user users uses the new sytanx, presumably their eventual cloud requests will fail on non-upgrade nodes that don't support the external id's yet.
cc @livlobo to confirm that this is a high priority feature request for backport.
confirmed with @livlobo that this is good to merge. |
Backport 1/1 commits from #91040.
/cc @cockroachdb/release
Support passing in the optional external ID when assuming a role. This is done by extending the values of the comma-separated string value of the ASSUME_ROLE parameter to the format
<role>;external_id=<id>
. Users can still use the previous format of just<role>
to specify a role without any external ID.When using role chaining, each role in the chain can be associated with a different external ID. For example:
ASSUME_ROLE=<roleA>;external_id=<idA>,<roleB>;external_id=<idB>,<roleC>
will use external ID<idA>
to assume delegate<roleA>
, then use external ID<idB>
to assume delegate<roleB>
, and finally no external ID to assume the final role<roleC>
.Additional documentation about external IDs can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
Release note (enterprise change): Support passing in the optional external ID when assuming a role. This is done by extending the values of the comma-separated string value of the ASSUME_ROLE parameter to the format
<role>;external_id=<id>
. Users can still use the previous format of just<role>
to specify a role without any external ID.When using role chaining, each role in the chain can be associated with a different external ID. For example:
ASSUME_ROLE=<roleA>;external_id=<idA>,<roleB>;external_id=<idB>,<roleC>
will use external ID<idA>
to assume delegate<roleA>
, then use external ID<idB>
to assume delegate<roleB>
, and finally no external ID to assume the final role<roleC>
.Addresses #90239
Release justification: low risk, high impact feature.