aws: Implementation of IAM Roles anywhere support in aws request signing (https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)#37193
Conversation
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Nigel Brittain <[email protected]> update initialisation Signed-off-by: Nigel Brittain <[email protected]> make tests compile Signed-off-by: Nigel Brittain <[email protected]> refactor Signed-off-by: Nigel Brittain <[email protected]> builds ok Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> add test cases Signed-off-by: Nigel Brittain <[email protected]> update test Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> cleanup Signed-off-by: Nigel Brittain <[email protected]> cleanup Signed-off-by: Nigel Brittain <[email protected]> update test cases Signed-off-by: Nigel Brittain <[email protected]> signing test cases Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> documentation Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> content type Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> revert some configs Signed-off-by: Nigel Brittain <[email protected]> revert some changes Signed-off-by: Nigel Brittain <[email protected]> revert some changes Signed-off-by: Nigel Brittain <[email protected]> revert additional change Signed-off-by: Nigel Brittain <[email protected]> partial refactor Signed-off-by: Nigel Brittain <[email protected]> refactor Signed-off-by: Nigel Brittain <[email protected]> refactor and format Signed-off-by: Nigel Brittain <[email protected]> fix mocks Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> documentation Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> webidentity Signed-off-by: Nigel Brittain <[email protected]> still one test case broken Signed-off-by: Nigel Brittain <[email protected]> fixing test cases Signed-off-by: Nigel Brittain <[email protected]> working expiration Signed-off-by: Nigel Brittain <[email protected]> more test cases Signed-off-by: Nigel Brittain <[email protected]> update test cases Signed-off-by: Nigel Brittain <[email protected]> asan Signed-off-by: Nigel Brittain <[email protected]> ssl init Signed-off-by: Nigel Brittain <[email protected]> leaks Signed-off-by: Nigel Brittain <[email protected]> coverage Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> additional test cases Signed-off-by: Nigel Brittain <[email protected]> additional test cases Signed-off-by: Nigel Brittain <[email protected]> data source modifications Signed-off-by: Nigel Brittain <[email protected]> more data source mods Signed-off-by: Nigel Brittain <[email protected]> test case fix Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> cert signing algorithm Signed-off-by: Nigel Brittain <[email protected]> update headers Signed-off-by: Nigel Brittain <[email protected]> update headers Signed-off-by: Nigel Brittain <[email protected]> update Signed-off-by: Nigel Brittain <[email protected]> test case Signed-off-by: Nigel Brittain <[email protected]> test case Signed-off-by: Nigel Brittain <[email protected]> update test case Signed-off-by: Nigel Brittain <[email protected]> no test leak Signed-off-by: Nigel Brittain <[email protected]> updated test case Signed-off-by: Nigel Brittain <[email protected]> update tests Signed-off-by: Nigel Brittain <[email protected]> test update Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> format Signed-off-by: Nigel Brittain <[email protected]> update test case Signed-off-by: Nigel Brittain <[email protected]> update test case Signed-off-by: Nigel Brittain <[email protected]> update test cases Signed-off-by: Nigel Brittain <[email protected]> update asn1 time Signed-off-by: Nigel Brittain <[email protected]> fix test cases Signed-off-by: Nigel Brittain <[email protected]>
nbaws
force-pushed
the
roles_anywhere
branch
from
3884e8e to
e752b1d
Compare
|
@suniltheta if you have bandwidth |
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
suniltheta
left a comment
suniltheta
left a comment
There was a problem hiding this comment.
Couldn't go through all the files. Would it be possible to break the PR into multiple smaller chunks?
There are several functions, for example functions inside source/extensions/common/aws/signer_base_impl.cc or pemToAlgorithmSerialExpiration which are tricky to review since I don't have context on how it should be written. If you are able to break down the PR into individual pieces you can link in code comments from the docs what that piece of function is trying to solve based on the guidance given in https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html or other docs page.
I see we have two new high level CredentailsProvider class IAMRolesAnywhereX509CredentialsProvider & IAMRolesAnywhereCredentialsProvider. Would it be possible to add docs comments to explain what each of these classes are doing? If you happen to have a short doc, will help with the getting the context.
|
|
||
| string role_session_name = 7; | ||
|
|
||
| google.protobuf.Duration session_duration = 8 [(validate.rules).duration = { |
There was a problem hiding this comment.
does this take a default value if not specified?
There was a problem hiding this comment.
If not specified there will be no duration sent, and the service will choose the duration. From https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html:
durationSeconds
The duration, in seconds, of the role session. The value is optional and can range from 900 seconds (15 minutes) up to 43200 seconds (12 hours).
There was a problem hiding this comment.
If durationSeconds is provided in the CreateSession (IAM Roles Anywhere credentialing API) request, the duration of the resulting session will be min(durationSeconds, profileDurationSeconds), where profileDurationSeconds is the durationSeconds value on the profile used in the request. Otherwise, if durationSeconds isn't provided in the request, profileDurationSeconds is used. Note that all of this just determines the value for durationSeconds that IAM Roles Anywhere sends in the AssumeRole request to STS (which the service will do internally). So if the maxSessionDuration on the role doesn't allow for the duration obtained through the described process, you'll receive a 403.
There was a problem hiding this comment.
so the proto constraint should enforce the sizing in config, however it's entirely optional for the user to provide here. we should have 403 covered in test cases, but i will double check what is logged so it is possible to troubleshoot it
TY for your look through. I will add additional comments, and also carve off this code into its own source file so it is easier to understand. I will also add design documentation as per your suggestion. |
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
|
@suniltheta I've refactored so this has less impact on existing source files. Fundamental code is the same and I've added a small design doc here: #37440 Please let me know if you'd like any more detail here. |
13ajay
left a comment
13ajay
left a comment
There was a problem hiding this comment.
I haven't gone through the entire PR yet, but I have gone through some of it. I'll add comments on the rest when I get around to it.
|
|
||
| string role_session_name = 7; | ||
|
|
||
| google.protobuf.Duration session_duration = 8 [(validate.rules).duration = { |
There was a problem hiding this comment.
If durationSeconds is provided in the CreateSession (IAM Roles Anywhere credentialing API) request, the duration of the resulting session will be min(durationSeconds, profileDurationSeconds), where profileDurationSeconds is the durationSeconds value on the profile used in the request. Otherwise, if durationSeconds isn't provided in the request, profileDurationSeconds is used. Note that all of this just determines the value for durationSeconds that IAM Roles Anywhere sends in the AssumeRole request to STS (which the service will do internally). So if the maxSessionDuration on the role doesn't allow for the duration obtained through the described process, you'll receive a 403.
source/extensions/common/aws/iam_roles_anywhere_credentials_provider_impl.cc
Show resolved
Hide resolved
Signed-off-by: Nigel Brittain <[email protected]>
|
/retest |
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
Signed-off-by: Nigel Brittain <[email protected]>
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
added
the
stale
|
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Commit Message: aws: Implementation of IAM Roles anywhere support in aws request signing Additional Description: Part 1 of patch to implement IAM Roles anywhere capability. Adds the x509 credential type and the x509 signing base library. Design brief: #37440 Previous PR: #37193 (https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) Risk Level: Negligible - code currently unlinked Testing: Unit Docs Changes: N/A Release Notes: N/A Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain <[email protected]>
Commit Message: aws: Implementation of IAM Roles anywhere support in aws request signing Additional Description: Part 1 of patch to implement IAM Roles anywhere capability. Adds the x509 credential type and the x509 signing base library. Design brief: envoyproxy#37440 Previous PR: envoyproxy#37193 (https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) Risk Level: Negligible - code currently unlinked Testing: Unit Docs Changes: N/A Release Notes: N/A Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain <[email protected]>
4 participants
Commit Message: aws: Implementation of IAM Roles anywhere support in aws request signing
Additional Description: Creates an additional x509 credential type and adds custom signing support for IAM Roles Anywhere
Risk Level: Low
Testing: Unit
Docs Changes: doc update and sample config included
Release Notes: changelog update
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]