Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for consuming web identity credentials #238

Merged
merged 1 commit into from Jul 22, 2021

Conversation

olemarkus
Copy link
Member

@olemarkus olemarkus commented Jul 11, 2021

CCM builds its own credential providers list and configures them directly instead of using those from the session.
This PR checks the presence of the web identity env vars and adds a web identity role provider.

What type of PR is this?
/kind feature

What this PR does / why we need it:

I have been working on IRSA support for the AWS CCM for kOps, and I had to add something like this in order for CCM to pick up the AWS credentials. Without this, it would just use the instance role, which no longer has the necessary AWS permissions to run CCM.

Cloud Controller Manager can now consume credentials through web identity role credentials.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 11, 2021
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 11, 2021
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 19, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 19, 2021
@@ -1194,7 +1195,16 @@ func init() {
}

var provider credentials.Provider
if cfg.Global.RoleARN == "" {
if os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") != "" {
Copy link
Contributor

@nckturner nckturner Jul 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know we already have this unfortunate if statement, but it seems like the purpose of credentials.NewChainCredentials is to allow an order to be specified -- can we simply add the NewWebIdentityRoleProvider to the chain?

I think what we should have done instead of if cfg.Global.RoleARN == "" ..., is to just create a custom provider similar to AssumeRoleProvider which takes an arn from the config file, and just add it to the NewChainCredentials call (if the role is not provided it should return an error and the next provider will be called).

Let me know if you already tried something like that--perhaps I'm misunderstanding why it was originally done this way.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, the identity session should have been picked up from the original session that we pass on with:

	&credentials.StaticProvider{
		Value: sess.Config.Credentials.Get(),
	}

Maybe it is as simple as enabling the shared config:

		sess, err = session.NewSessionWithOptions(session.Options{
			Config:            *cfg,
			SharedConfigState: session.SharedConfigEnable,
		})

Let me try that.

@olemarkus
Copy link
Member Author

@nckturner I changed the PR to obtain credentials from the default credentials chain instead. The effect should be similar, but doesn't duplicate the logic for building the web identity credentials.

CCM builds its own credential providers list and configures them directly instead of using those from the session.
This PR will only pass on the list if an IAM role from cloudconfig is used. If not, we pass on nil so that the default credential chain is used instead.
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 22, 2021
@olemarkus
Copy link
Member Author

Just realised the problem with this approach is that credentials probably will not renew itself. I tweaked this approach a bit to only pass on the list of credentials providers if we are actually using the role from cloudconfig. Passing on nil otherwise will make sessions just use the default credential list otherwise, which will now also support web identity credentials.

@nckturner
Copy link
Contributor

Agreed, using the default chain is a better approach. Thanks!

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 22, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nckturner, olemarkus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants