-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(assumeWebIdentityRole): support AssumeRoleWithWebIdentity arn swap #1258
feat(assumeWebIdentityRole): support AssumeRoleWithWebIdentity arn swap #1258
Conversation
…ity arn swapping Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
Hey @jessesanford thanks for enhancement - we using GO SDK v1 for code-gen resources and GO SDK v2 for some manual/handmade resources can you check If both working ? Example |
I was wondering about the V1 suffixed functions. I can create a Do you have different build targets you use for the two different SDKS? or do you just need to know which resources to test with to flex the dfferent code paths? |
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
i will test tomorrow in our environment and will add final review |
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
@stevendborrelli is also attempting to deploy a build of the provider from this branch to our POC environment so we can do some manual testing there as well. I don't have your test suite though, so don't let our work preclude yours @haarchri. TY! |
Any chance you have been able to kick the tires? |
We were able to get s3 bucket resources working:
|
Functionality looks good. We were able to test provisioning in 3 different ARNs: the control plane's ARN and two other ones. |
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tested the assumeRoleWithWebidentity in our environment (50 Accounts +)
@jessesanford @nabuskey @stevendborrelli thanks for implementation, testing and documentation
providerconfigs
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: account-a
spec:
credentials:
source: InjectedIdentity
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: account-b
spec:
assumeRoleWithWebIdentity:
roleARN: arn:aws:iam::111111111111:role/crossplane_deploy
roleSessionName: b-from-a
credentials:
source: InjectedIdentity
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: account-c
spec:
assumeRoleWithWebIdentity:
roleARN: arn:aws:iam::222222222222:role/crossplane_deploy
roleSessionName: c-from-a
credentials:
source: InjectedIdentity
go sdk-v2
kubectl get buckets.s3.aws.crossplane.io
NAME READY SYNCED AGE
bucket-account-a True True 10m
bucket-account-b True True 11m
bucket-account-c True True 12m
go sdk-v1
kubectl get filesystems.efs.aws.crossplane.io
NAME READY SYNCED AGE
filesystem-account-a True True 3m
filesystem-account-b True True 3m
filesystem-account-c True True 2m
…ap (crossplane-contrib#1258) * feat(assumeWebIdentityRole): added support for AssumeRoleWithWebIdentity arn swapping Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com> Signed-off-by: Felipe Barbosa <lybrbarbosa@gmail.com>
Description of your changes
Fixes #597
Specifically handles the usecase described by @benagricola here: #597 (comment)
I have:
make reviewable test
to ensure this PR is ready for review.How has this code been tested
Unit tests created for supporting functions in pkg/clients/aws.go
Manual tests to be performed.