Allow specifying AWS role at runtime

[rittneje]

Fixes #80.

Testing

We have been using this feature on our CloudBees instance for several months now. We have not experienced any issues with it. We have been fetching credentials in two ways:

1. credentialsId, roleArn and roleSessionName provided
2. credentialsId, accessKeyVariable, and secretKeyVariable provided

Both have been working flawlessly.

In addition, when implementing this change, I did integration testing on our CloudBees instance to cover the following cases:

1. credentialsId, roleArn, roleSessionName, and roleSessionDurationSeconds
2. credentialsId and roleArn
3. credentialsId and roleArn, with roleSessionName as the empty string
4. credentialsId, with roleArn as the empty string
5. just credentialsId

All of these cases passed, as verified by calling sh 'aws sts get-caller-identity' within the withCredentials block.

[rittneje]

ping @jglick @escoem

[jglick]

I am not a maintainer.

[rittneje]

@jglick Any idea who the maintainers are?

[jglick]

@escoem perhaps.

[rittneje]

ping @escoem

[rittneje]

ping @escoem

[rittneje]

ping @escoem

[rittneje]

ping @escoem

[rittneje]

@escoem Is this project abandoned? This change is pretty important for us.

[rittneje]

ping @andresrc

[alecharp]

The big missing part of this PR is a test.
I don't know how much of code coverage we have here but changing code related with credentials without tests is a big risk.

The RoleSessionDurationSeconds limits problem I commented would have been detected with a test.

[alecharp]

We might have a problem here.
The setter requires a value between 900 and 3600, or it throws an IllegalArgumentException. But we are not checking this.
However, the STSAssumeRoleSessionCredentialsProvider constructor will use DEFAULT_DURATION_SECONDS (900) if the value is equal to 0.

I would suggest to either have a doCheckX method in the descriptor to validate that the duration is truly between 900 and 3600. You can even have the default value to 900. This would not be used in pipeline setup.
Or you need to change the condition here.

(option 1)

Suggested change

	.withStsClient(stsClient);
	if (this.roleSessionDurationSeconds > 0) {
	assumeRoleProviderBuilder = assumeRoleProviderBuilder
	.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);
	}
	.withStsClient(stsClient)
	.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);

(option 2)

Suggested change

	.withStsClient(stsClient);
	if (this.roleSessionDurationSeconds > 0) {
	assumeRoleProviderBuilder = assumeRoleProviderBuilder
	.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);
	}
	.withStsClient(stsClient);
	if (this.roleSessionDurationSeconds >= 900 && this.roleSessionDurationSeconds <= 3600) {
	assumeRoleProviderBuilder = assumeRoleProviderBuilder
	.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);
	}

[rittneje]

My intent was to let the bounds just be controlled by the AWS SDK so that you don't have to keep the two in sync. (For example, a newer version of the SDK might change it so you can assume a role for up to 2 hours.) Similarly, I think it makes more sense to allow the default value to be chosen by the SDK, as it currently is.

[alecharp]

I understand. The problem is that the "check" will be done by the library which throws an exception. I'm not sure this is the most clear way to handle the situation for users.

[rittneje]

I'm a little confused. What exactly would we do in this code if the role session duration is out of bounds other than throw an exception ourselves?

[rittneje]

The big missing part of this PR is a test.
I don't know how much of code coverage we have here but changing code related with credentials without tests is a big risk.

The RoleSessionDurationSeconds limits problem I commented would have been detected with a test.

@alecharp I would need some guidance on how to write such tests. There don't appear to be any existing tests other than ConfigurationAsCodeTest.java (which is irrelevant).

[jglick]

Neither this plugin, nor aws-global-configuration, nor aws-java-sdk, have any tests which could actually exercise services.

artifact-manager-s3 has some Dockerized tests which run against MinIO; and some “live” tests which require AWS credentials and currently run only on a private server maintained by CloudBees, or on your local machine if you care to run them. In neither case would IAM/STS exotica like role assumption or MFAs be covered.

pipeline-cloudwatch-logs also has some live tests (currently not run in CI anywhere) and actually does do an AssumeRole call, but for specialized purposes and of course not covering the code in this PR.

Writing tests against live AWS is certainly possible, with some effort; making them exercise specific IAM/STS features is particularly hard, since the person/process running the test may not physically be permitted to use that feature, depending on how their account is set up. You can try to run Dockerized tests against OpenStack or various mock frameworks, but identity & security systems are likely to be the least accurately simulated, and anyway this is hardly proving that the code would actually work in AWS itself (though it could help detect regressions from routine refactorings not touching the basic design).

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

ping @alecharp

[rittneje]

@alecharp This pull request has been open for almost 8 months. It has been over 3 months since you reviewed. Please merge this already. If you don't have the time to review it, then please tell me who can.

cc @escoem @andresrc

[rittneje]

@alecharp @escoem @andresrc

[rittneje]

@alecharp @escoem @andresrc

[rittneje]

@alecharp @escoem @andresrc

[rittneje]

@alecharp @escoem @andresrc

[alecharp]

LGTM. Seems we just have to wait a bit for @escoem to be available to merge and release this.