Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws signing filter: dynamic configuration of WebIdentityToken and RoleARN #36109

Open
mathetake opened this issue Sep 13, 2024 · 4 comments · May be fixed by #36217
Open

aws signing filter: dynamic configuration of WebIdentityToken and RoleARN #36109

mathetake opened this issue Sep 13, 2024 · 4 comments · May be fixed by #36217
Labels
area/aws enhancement Feature requests. Not bugs or questions.

Comments

@mathetake
Copy link
Member

mathetake commented Sep 13, 2024
edited
Loading

Title: aws signing filter: dynamic configuration of WebIdentityToken and RoleARN

Description:

Currently, for AssumeRoleWithWebIdentity, AWS singing filter can only extract WebIdentityToken from the local file pointed by AWS_WEB_IDENTITY_TOKEN_FILE environment variable. Also, the role arn can only be configured via AWS_ROLE_ARN.

I would love to configure them via xds.

The dynamically configured token will be passed at

envoy/source/extensions/common/aws/credentials_provider_impl.cc

Line 775 in 0ad67a1

const auto web_token_file_or_error = api_.fileSystem().fileReadToEnd(token_file_path_);

where currently the token read from the local file is passed.

The arn will be passed at

envoy/source/extensions/common/aws/credentials_provider_impl.cc

Line 793 in 0ad67a1

Envoy::Http::Utility::PercentEncoding::encode(role_arn_),

@mathetake mathetake added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Sep 13, 2024
@mathetake
Copy link
Member Author

mathetake commented Sep 13, 2024
edited
Loading

Not only the token but also I would like to dynamically configure AWS_ROLE_ARN as well

edited: modified the title and description accordingly.

@ravenblackx
Copy link
Contributor

cc @suniltheta

@ravenblackx ravenblackx added area/aws and removed triage Issue requires triage labels Sep 13, 2024
@mathetake mathetake changed the title aws signing filter: suport for dynamic configuration of WebIdentityToken aws signing filter: dynamic configuration of WebIdentityToken and RoleARN Sep 14, 2024
@mathetake
Copy link
Member Author 

diff --git a/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto b/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
index 5729d7f503..ef23e3b664 100644
--- a/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
+++ b/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
@@ -107,6 +107,24 @@ message AwsRequestSigning {
   // query_string: {}
   //
   QueryString query_string = 7;
+
+  // The credential provider for signing the request. This is optional and if not set,
+  // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`.
+  AwsRequestSigningCredentialProvider credential_provider = 8;
+}
+
+message AwsRequestSigningCredentialProvider {
+  oneof provider {
+    AssumeRoleWithWebIdentity assume_role_with_web_identity = 1;
+  }
+
+  message AssumeRoleWithWebIdentity {
+    // The ARN of the role to assume.
+    string role_arn = 1;
+
+    // The identity token that is provided by the identity provider to assume the role.
+    string identity_token = 2;
+  }
 }

quickly sketched a rough potential API change - wdyt? @suniltheta

@suniltheta
Copy link
Contributor

yes, sounds good to have the configurable option.
cc: @nbaws

@mathetake mathetake linked a pull request Sep 19, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/aws enhancement Feature requests. Not bugs or questions.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

aws: adds support for dynamically configurable credential mathetake/envoy
3 participants
@ravenblackx @suniltheta @mathetake