aws/session: Add support for assuming role via Web Identity Tokens #2667
Conversation
| "AWS_WEB_IDENTITY_TOKEN_FILE", | ||
| } | ||
| webIdentityRoleARNEnvKey = []string{ | ||
| "AWS_ROLE_ARN", |
There was a problem hiding this comment.
Hi @jasdel 👋 Could you clarify the positioning around this new AWS_ROLE_ARN environment variable? It is noted and implemented here in the context of being just for web identity authentication, but are there plans to utilize this new AWS_ROLE_ARN environment variable as a standard around assuming a role in general?
We have use cases where assuming a role via a standardized environment variable (outside web identity authentication) would be very helpful within the Terraform AWS Provider session initialization, since it tends to be run in automation/CI scenarios. 😄
If there is the potential for general usage of this same environment variable, would it be possible to relax the new aws/session/credentials.go implementation to only return an error if AWS_WEB_IDENTITY_TOKEN_FILE is provided and AWS_ROLE_ARN is missing?
Thanks so much!
There was a problem hiding this comment.
Thanks for bringing this up. AWS_ROLE_ARN is indeed intended to allow generic Role ARN usage outside of the Web identity Token's provider.
I think the behavior your describe will be supported by this change once the integration between the providers is fixed. I'm working on this, and SDK's credential chain behavior with these new options.
The SDK's behavior around the shared config file also needs to be updated to reflect this new concept, and make web identity token play nicely with the existing credential providers.
There was a problem hiding this comment.
I'm going to have to walk back my statment on AWS_ROLE_ARN generic behavior. I think ideally AWS_ROLE_ARN should be used by the SDK to provide another source for an Role ARN, but this adds quite a bit of complexity to the SDK's credential chain. Especially, if the AWS_ROLE_ARN can be mixed with the shared config/credentials file to enable assume role with config/credentials. It will be important to get this behavior consistent across the SDKs.
Initially, in this change, AWS_ROLE_ARN will only be usable with the web identity token. In the future I think there is a lot of value for us to evaluate expanding this behavior to apply to other credential sources.
It might make sense to evaluate this behavior and update it so that AWS_ROLE_ARN could be applied to other environment configuration, such as environment static credentials, ECS credentials and the new web identity.
There was a problem hiding this comment.
That is great to hear, @jasdel! Thank you for the consideration here. Would you prefer if you/I opened a top level issue for this feature request?
There was a problem hiding this comment.
Thanks @bflad, creating a new feature request would be great. We can keep track of the discussion how the SDK(s) should use AWS_ROLE_ARN with their existing credential providers and chain.
There was a problem hiding this comment.
Here's the feature request for supporting AWS_ROLE_ARN with the environment credentials provider: https://github.com/aws/aws-sdk-go/issues/2802
jasdel
force-pushed
the
feature/AssumeRoleWebIdentity
branch
2 times, most recently
from
2719d10 to
651883f
Compare
jasdel
added
needs-review
jasdel
force-pushed
the
feature/AssumeRoleWebIdentity
branch
from
3d700e5 to
77d232f
Compare
jasdel
force-pushed
the
feature/AssumeRoleWebIdentity
branch
from
77d232f to
a0e50bd
Compare
jasdel
force-pushed
the
feature/AssumeRoleWebIdentity
branch
from
a0e50bd to
da51c9d
Compare
After aws/aws-sdk-go#2667 sdk supports https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html Let's enable it here
Adds support for assuming an role via the Web Identity Token. Allows for OIDC token files to be used by specifying the token path through the
AWS_WEB_IDENTITY_TOKEN_FILE, andAWS_ROLE_ARNenvironment variables.Replaces PR #2193