crossplane-contrib · haarchri · Apr 18, 2022 · Apr 13, 2022 · Apr 13, 2022 · Apr 13, 2022
diff --git a/AUTHENTICATION.md b/AUTHENTICATION.md
@@ -10,6 +10,7 @@
   - [Using kube2iam](#using-kube2iam)
     - [Steps](#steps-1)
   - [Using `assumeRole`](#using-assumerole)
+  - [Using `assumeRoleWithWebIdentity`](#using-assumerolewithwebidentity)
 
 ## Overview
 
@@ -343,3 +344,49 @@ spec:
     source: InjectedIdentity
 EOF
 ```
+
+## Using `assumeRoleWithWebIdentity`
+
+`provider-aws` will be configured to connect to the aws account in `RoleARN` and request
+a session for `RoleARN` using it's `InjectedIdentity` 
+
+This is most useful when "sts chaining" (see [Using `assumeRole`](#using-assumerole)) 
+is not allowed between accounts or when cross account IRSA is more suitable.
+
+IRSA will need to be configured between the account hosting the `RoleARN` and the
+K8s cluster hosting the provider pod. See [Using IAM Roles for `ServiceAccounts`](#using-iam-roles-for-serviceaccounts)
+for more info on how to setup IRSA.
+
+Next, the `provider-aws` must be configured to use `assumeRoleWithWebIdentity`.
+The code snippet below shows how to configure `provider-aws` to do so.
+
+```console
+$ cat <<EOF | kubectl apply -f -
+apiVersion: aws.crossplane.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: account-b
+spec:
+  assumeRoleWithWebIdentity:
+    roleARN: "arn:aws:iam::999999999999:role/account_b"
+  credentials:
+    source: InjectedIdentity
+EOF
+```
+
+Role session name is supported (see <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_RequestParameters>).
+
+```console
+$ cat <<EOF | kubectl apply -f -
+apiVersion: aws.crossplane.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: account-b
+spec:
+  assumeRoleWithWebIdentity:
+    roleARN: "arn:aws:iam::999999999999:role/account_b"
+    roleSessionName: "my-optional-session-name"
+  credentials:
+    source: InjectedIdentity
+EOF
+```
diff --git a/apis/v1beta1/providerconfig_types.go b/apis/v1beta1/providerconfig_types.go
@@ -30,6 +30,9 @@ type ProviderConfigSpec struct {
 	// AssumeRole defines the options for assuming an IAM role
 	AssumeRole *AssumeRoleOptions `json:"assumeRole,omitempty"`
 
+	// AssumeRoleWithWebIdentity defines the options for assuming an IAM role with a Web Identity
+	AssumeRoleWithWebIdentity *AssumeRoleWithWebIdentityOptions `json:"assumeRoleWithWebIdentity,omitempty"`
+
 	// AssumeRoleARN to assume with provider credentials
 	// This setting will be deprecated. Use the roleARN field under assumeRole instead.
 	// +optional
@@ -91,6 +94,17 @@ type AssumeRoleOptions struct {
 	TransitiveTagKeys []string `json:"transitiveTagKeys,omitempty"`
 }
 
+// AssumeRoleWithWebIdentityOptions define the options for assuming an IAM Role
+// Fields are similar to the STS WebIdentityRoleOptions in the AWS SDK
+type AssumeRoleWithWebIdentityOptions struct {
+	// AssumeRoleARN to assume with provider credentials
+	RoleARN *string `json:"roleARN,omitempty"`
+
+	// RoleSessionName is the session name, if you wish to uniquely identify this session.
+	// +optional
+	RoleSessionName string `json:"roleSessionName,omitempty"`
+}
+
 // EndpointConfig is used to configure the AWS client for a custom endpoint.
 type EndpointConfig struct {
 	// URL lets you configure the endpoint URL to be used in SDK calls.

diff --git a/apis/v1beta1/zz_generated.deepcopy.go b/apis/v1beta1/zz_generated.deepcopy.go
diff --git a/package/crds/aws.crossplane.io_providerconfigs.yaml b/package/crds/aws.crossplane.io_providerconfigs.yaml
@@ -93,6 +93,18 @@ spec:
                   setting will be deprecated. Use the roleARN field under assumeRole
                   instead.
                 type: string
+              assumeRoleWithWebIdentity:
+                description: AssumeRoleWithWebIdentity defines the options for assuming
+                  an IAM role with a Web Identity
+                properties:
+                  roleARN:
+                    description: AssumeRoleARN to assume with provider credentials
+                    type: string
+                  roleSessionName:
+                    description: RoleSessionName is the session name, if you wish
+                      to uniquely identify this session.
+                    type: string
+                type: object
               credentials:
                 description: Credentials required to authenticate to this provider.
                 properties:

diff --git a/pkg/clients/aws.go b/pkg/clients/aws.go
@@ -132,6 +132,13 @@ func UseProviderConfig(ctx context.Context, c client.Client, mg resource.Managed
 			}
 			return SetResolver(pc, cfg), nil
 		}
+		if pc.Spec.AssumeRoleWithWebIdentity != nil && pc.Spec.AssumeRoleWithWebIdentity.RoleARN != nil {
+			cfg, err := UsePodServiceAccountAssumeRoleWithWebIdentity(ctx, []byte{}, DefaultSection, region, pc)
+			if err != nil {
+				return nil, err
+			}
+			return SetResolver(pc, cfg), nil
+		}
 		cfg, err := UsePodServiceAccount(ctx, []byte{}, DefaultSection, region)
 		if err != nil {
 			return nil, err
@@ -379,6 +386,42 @@ func UsePodServiceAccountAssumeRole(ctx context.Context, _ []byte, _, region str
 	return &cnf, err
 }
 
+// UsePodServiceAccountAssumeRoleWithWebIdentity assumes an IAM role
+// configured via a ServiceAccount assume Cross account IAM roles
+// https://aws.amazon.com/blogs/containers/cross-account-iam-roles-for-kubernetes-service-accounts/
+func UsePodServiceAccountAssumeRoleWithWebIdentity(ctx context.Context, _ []byte, _, region string, pc *v1beta1.ProviderConfig) (*aws.Config, error) {
+	cfg, err := config.LoadDefaultConfig(ctx, userAgentV2)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to load default AWS config")
+	}
+
+	roleArn, err := GetAssumeRoleWithWebIdentityARN(pc.Spec.DeepCopy())
+	if err != nil {
+		return nil, err
+	}
+
+	stsclient := sts.NewFromConfig(cfg)
+	webIdentityRoleOptions := SetWebIdentityRoleOptions(pc)
+
+	cnf, err := config.LoadDefaultConfig(
+		ctx,
+		userAgentV2,
+		config.WithRegion(region),
+		config.WithCredentialsProvider(aws.NewCredentialsCache(
+			stscreds.NewWebIdentityRoleProvider(
+				stsclient,
+				StringValue(roleArn),
+				stscreds.IdentityTokenFile("/var/run/secrets/eks.amazonaws.com/serviceaccount/token"),
+				webIdentityRoleOptions,
+			)),
+		),
+	)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to load assumed role AWS config")
+	}
+	return &cnf, err
+}
+
 // UsePodServiceAccount assumes an IAM role configured via a ServiceAccount.
 // https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
 func UsePodServiceAccount(ctx context.Context, _ []byte, _, region string) (*aws.Config, error) {
@@ -664,6 +707,17 @@ func GetAssumeRoleARN(pcs *v1beta1.ProviderConfigSpec) (*string, error) {
 	return nil, errors.New("a RoleARN must be set to assume an IAM Role")
 }
 
+// GetAssumeRoleWithWebIdentityARN gets the RoleArn from a ProviderConfigSpec
+func GetAssumeRoleWithWebIdentityARN(pcs *v1beta1.ProviderConfigSpec) (*string, error) {
+	if pcs.AssumeRoleWithWebIdentity != nil {
+		if pcs.AssumeRoleWithWebIdentity.RoleARN != nil && StringValue(pcs.AssumeRoleWithWebIdentity.RoleARN) != "" {
+			return pcs.AssumeRoleWithWebIdentity.RoleARN, nil
+		}
+	}
+
+	return nil, errors.New("a RoleARN must be set to assume with web identity")
+}
+
 // SetAssumeRoleOptions sets options when Assuming an IAM Role
 func SetAssumeRoleOptions(pc *v1beta1.ProviderConfig) func(*stscreds.AssumeRoleOptions) {
 	if pc.Spec.AssumeRole != nil {
@@ -694,6 +748,19 @@ func SetAssumeRoleOptions(pc *v1beta1.ProviderConfig) func(*stscreds.AssumeRoleO
 	return func(opt *stscreds.AssumeRoleOptions) {}
 }
 
+// SetWebIdentityRoleOptions sets options when exchanging a WebIdentity Token for a Role
+func SetWebIdentityRoleOptions(pc *v1beta1.ProviderConfig) func(*stscreds.WebIdentityRoleOptions) {
+	if pc.Spec.AssumeRoleWithWebIdentity != nil {
+		return func(opt *stscreds.WebIdentityRoleOptions) {
+			if pc.Spec.AssumeRoleWithWebIdentity.RoleSessionName != "" {
+				opt.RoleSessionName = pc.Spec.AssumeRoleWithWebIdentity.RoleSessionName
+			}
+		}
+	}
+
+	return func(opt *stscreds.WebIdentityRoleOptions) {}
+}
+
 // TODO(muvaf): All the types that use CreateJSONPatch are known during
 // development time. In order to avoid unnecessary panic checks, we can generate
 // the code that creates a patch between two objects that share the same type.

diff --git a/pkg/clients/aws_test.go b/pkg/clients/aws_test.go
@@ -190,6 +190,67 @@ func TestGetAssumeRoleARN(t *testing.T) {
 	}
 }
 
+func TestGetAssumeRoleWithWebIdentityARN(t *testing.T) {
+	roleARN := "test-arn"
+
+	type args struct {
+		pcs v1beta1.ProviderConfigSpec
+	}
+	type want struct {
+		arn string
+		err error
+	}
+	cases := map[string]struct {
+		args args
+		want want
+	}{
+		"NoArnSetError": {
+			args: args{
+				pcs: v1beta1.ProviderConfigSpec{},
+			},
+			want: want{
+				err: errors.New("a RoleARN must be set to assume with web identity"),
+			},
+		},
+		"EmptyAssumeRoleWithWebIdentityOptions": {
+			args: args{
+				pcs: v1beta1.ProviderConfigSpec{
+					AssumeRoleWithWebIdentity: &v1beta1.AssumeRoleWithWebIdentityOptions{},
+				},
+			},
+			want: want{
+				err: errors.New("a RoleARN must be set to assume with web identity"),
+			},
+		},
+		"AssumeRoleWithWebIdentityOptions": {
+			args: args{
+				pcs: v1beta1.ProviderConfigSpec{
+					AssumeRoleWithWebIdentity: &v1beta1.AssumeRoleWithWebIdentityOptions{
+						RoleARN: &roleARN,
+					},
+				},
+			},
+			want: want{
+				arn: "test-arn",
+			},
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+
+			roleArn, err := GetAssumeRoleWithWebIdentityARN(&tc.args.pcs)
+			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
+				t.Errorf("Wrap: -want, +got:\n%s", diff)
+			}
+
+			if diff := cmp.Diff(tc.want.arn, StringValue(roleArn)); diff != "" {
+				t.Errorf("Wrap: -want, +got:\n%s", diff)
+			}
+		})
+	}
+}
+
 func TestSetAssumeroleOptions(t *testing.T) {
 	externalID := "test-id"
 	externalIDDep := "test-id-deprecated"
@@ -300,6 +361,61 @@ func TestSetAssumeroleOptions(t *testing.T) {
 	}
 }
 
+func TestSetWebIdentityRoleOptions(t *testing.T) {
+	sessionName := "test-id"
+
+	type args struct {
+		pc v1beta1.ProviderConfig
+	}
+	type want struct {
+		aro stscreds.WebIdentityRoleOptions
+	}
+	cases := map[string]struct {
+		args args
+		want want
+	}{
+		"NoOptionsSet": {
+			args: args{
+				pc: v1beta1.ProviderConfig{
+					Spec: v1beta1.ProviderConfigSpec{},
+				},
+			},
+			want: want{
+				aro: stscreds.WebIdentityRoleOptions{},
+			},
+		},
+		"BasicAssumeRoleWithWebIdentity": {
+			args: args{
+				pc: v1beta1.ProviderConfig{
+					Spec: v1beta1.ProviderConfigSpec{
+						AssumeRoleWithWebIdentity: &v1beta1.AssumeRoleWithWebIdentityOptions{
+							RoleSessionName: sessionName,
+						},
+					},
+				},
+			},
+			want: want{
+				aro: stscreds.WebIdentityRoleOptions{
+					RoleSessionName: sessionName,
+				},
+			},
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+
+			aro := stscreds.WebIdentityRoleOptions{}
+			f := SetWebIdentityRoleOptions(&tc.args.pc)
+			f(&aro)
+
+			if diff := cmp.Diff(tc.want.aro, aro, cmpopts.IgnoreUnexported(stscredstypesv2.Tag{})); diff != "" {
+				t.Errorf("Wrap: -want, +got:\n%s", diff)
+			}
+		})
+	}
+}
+
 func TestDiffTags(t *testing.T) {
 	type args struct {
 		local  map[string]string