Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(assumeWebIdentityRole): support AssumeRoleWithWebIdentity arn swap #1258

Merged
merged 5 commits into from
Apr 18, 2022
Merged

feat(assumeWebIdentityRole): support AssumeRoleWithWebIdentity arn swap #1258

merged 5 commits into from
Apr 18, 2022

Conversation

jessesanford
Copy link
Contributor

Description of your changes

Fixes #597

Specifically handles the usecase described by @benagricola here: #597 (comment)

With assumeWebIdentityRole set and assumeRoles unset:

The role ARN in assumeWebIdentityRole is assumed using the injected OIDC token from AWS_WEB_IDENTITY_TOKEN_FILE - the role name in AWS_ROLE_ARN is ignored.
At this point, we're targeting whatever account the role in assumeWebIdentityRole was in. This requires the target role to be trusting the current OIDC provider.
This allows us to assume a role via web identity in any number of AWS accounts (each a separate ProviderConfig).

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

Unit tests created for supporting functions in pkg/clients/aws.go
Manual tests to be performed.

@jessesanford
feat(assumeWebIdentityRole): added support for AssumeRoleWithWebIdent…
efe235a 
…ity arn swapping

Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
@jessesanford jessesanford mentioned this pull request Apr 13, 2022
Closed
@haarchri
Copy link
Member

Hey @jessesanford thanks for enhancement - we using GO SDK v1 for code-gen resources and GO SDK v2 for some manual/handmade resources can you check If both working ? Example UsePodServiceAccountV1 and UsePodServiceAccount

@jessesanford
Copy link
Contributor Author

jessesanford commented Apr 13, 2022
edited

@haarchri

Hey @jessesanford thanks for enhancement - we using GO SDK v1 for code-gen resources and GO SDK v2 for some manual/handmade resources can you check If both working ? Example UsePodServiceAccountV1 and UsePodServiceAccount

I was wondering about the V1 suffixed functions. I can create a UsePodServiceAccountV1AssumeRoleWithWebIdentity I believe that is all that is required right? The other supporting functions don't get invoked directly right?

Do you have different build targets you use for the two different SDKS? or do you just need to know which resources to test with to flex the dfferent code paths?

@jessesanford
Add support for V1 SDK
ce754b4 
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
@haarchri
Copy link
Member

i will test tomorrow in our environment and will add final review

@jessesanford
fix poor copy paste issue
812e5a8 
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
@jessesanford
Copy link
Contributor Author

i will test tomorrow in our environment and will add final review

@stevendborrelli is also attempting to deploy a build of the provider from this branch to our POC environment so we can do some manual testing there as well. I don't have your test suite though, so don't let our work preclude yours @haarchri. TY!

@jessesanford
Copy link
Contributor Author

i will test tomorrow in our environment and will add final review

Any chance you have been able to kick the tires?

@jessesanford
Copy link
Contributor Author

i will test tomorrow in our environment and will add final review

We were able to get s3 bucket resources working:

$ k -n upbound-system get buckets.s3.aws.crossplane.io                             
NAME                       READY   SYNCED   AGE
crossplane-demo-xppocca1   True    True     132m
crossplane-demo-xppocca2   True    True     133m
crossplane-demo-xppoccpn   True    True     126m

$ k -n upbound-system get providerconfigs.aws.crossplane.io aws-provider-xppocca1 -o yaml                                       
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration:
  creationTimestamp: "2022-04-14T20:50:00Z"
  finalizers:
  - in-use.crossplane.io
  generation: 2
  name: aws-provider-xppocca1
  resourceVersion: "269147"
  uid: 47000f10-dede-4436-b4cd-ea4d3003bdd5
spec:
  assumeRoleWithWebIdentity:
    roleARN: arn:aws:iam::111111111111:role/XXXXXXXXX
    roleSessionName: xppocca1
  credentials:
    source: InjectedIdentity
status:
  users: 1

$ k -n upbound-system get providerconfigs.aws.crossplane.io aws-provider-xppocca2 -o yaml                                       
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration:
  creationTimestamp: "2022-04-14T20:50:09Z"
  finalizers:
  - in-use.crossplane.io
  generation: 2
  name: aws-provider-xppocca2
  resourceVersion: "269244"
  uid: 65bcde84-dbb9-4d9a-9f58-cb66690d68b0
spec:
  assumeRoleWithWebIdentity:
    roleARN: arn:aws:iam::222222222222:role/XXXXXXXXX
    roleSessionName: xppocca2
  credentials:
    source: InjectedIdentity
status:
  users: 1

$ k -n upbound-system get providerconfigs.aws.crossplane.io aws-provider-xppoccpn -o yaml
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration:
  creationTimestamp: "2022-04-14T20:12:29Z"
  finalizers:
  - in-use.crossplane.io
  generation: 3
  name: aws-provider-xppoccpn
  resourceVersion: "269263"
  uid: 40c16b7c-d50a-423d-8902-b0b03901340b
spec:
  assumeRoleWithWebIdentity:
    roleARN: arn:aws:iam::333333333333:role/XXXXX
    roleSessionName: xppoccpn
  credentials:
    source: InjectedIdentity
status:
  users: 1

@stevendborrelli
Copy link
Contributor

Functionality looks good. We were able to test provisioning in 3 different ARNs: the control plane's ARN and two other ones.

@jessesanford
add additional docs
037b629 
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
@jessesanford
doc formatting fix
e5d368f 
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
haarchri
haarchri approved these changes Apr 18, 2022
View reviewed changes
Copy link
Member

@haarchri haarchri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested the assumeRoleWithWebidentity in our environment (50 Accounts +)
@jessesanford @nabuskey @stevendborrelli thanks for implementation, testing and documentation

providerconfigs

apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: account-a
spec:
  credentials:
    source: InjectedIdentity

apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: account-b
spec:
  assumeRoleWithWebIdentity:
    roleARN: arn:aws:iam::111111111111:role/crossplane_deploy
    roleSessionName: b-from-a
  credentials:
    source: InjectedIdentity

apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: account-c
spec:
  assumeRoleWithWebIdentity:
    roleARN: arn:aws:iam::222222222222:role/crossplane_deploy
    roleSessionName: c-from-a
  credentials:
    source: InjectedIdentity

go sdk-v2

kubectl get buckets.s3.aws.crossplane.io                             
NAME                       	READY   SYNCED   AGE
bucket-account-a		True    True     10m
bucket-account-b		True    True     11m
bucket-account-c		True    True     12m

go sdk-v1

kubectl get filesystems.efs.aws.crossplane.io     
NAME                       	READY   SYNCED   AGE
filesystem-account-a		True    True     3m
filesystem-account-b		True    True     3m
filesystem-account-c		True    True     2m

@haarchri haarchri merged commit 3629902 into crossplane-contrib:master Apr 18, 2022
@jessesanford jessesanford deleted the assumeWebIdentityRole branch April 18, 2022 11:56
febarbosa182 pushed a commit to febarbosa182/provider-aws that referenced this pull request May 23, 2022
@jessesanford @febarbosa182
feat(assumeWebIdentityRole): support AssumeRoleWithWebIdentity arn sw…
2c6a810 
…ap (crossplane-contrib#1258)

* feat(assumeWebIdentityRole): added support for AssumeRoleWithWebIdentity arn swapping

Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
Signed-off-by: Felipe Barbosa <lybrbarbosa@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nabuskey nabuskey nabuskey left review comments

@haarchri haarchri haarchri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow assuming multiple web identity roles
4 participants
@jessesanford @haarchri @stevendborrelli @nabuskey