Merge pull request #524 from linki/assume-role

AWS: Allow to assume another role
kubernetes-sigs · Apr 18, 2018 · 8819ed6 · 8819ed6
2 parents 68be609 + 790a782
commit 8819ed6
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/main.go b/main.go
@@ -94,7 +94,7 @@ func main() {
 	var p provider.Provider
 	switch cfg.Provider {
 	case "aws":
-		p, err = provider.NewAWSProvider(domainFilter, zoneIDFilter, zoneTypeFilter, cfg.DryRun)
+		p, err = provider.NewAWSProvider(domainFilter, zoneIDFilter, zoneTypeFilter, cfg.AWSAssumeRole, cfg.DryRun)
 	case "azure":
 		p, err = provider.NewAzureProvider(cfg.AzureConfigFile, domainFilter, zoneIDFilter, cfg.AzureResourceGroup, cfg.DryRun)
 	case "cloudflare":

diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
@@ -50,6 +50,7 @@ type Config struct {
 	DomainFilter             []string
 	ZoneIDFilter             []string
 	AWSZoneType              string
+	AWSAssumeRole            string
 	AzureConfigFile          string
 	AzureResourceGroup       string
 	CloudflareProxied        bool
@@ -92,6 +93,7 @@ var defaultConfig = &Config{
 	GoogleProject:            "",
 	DomainFilter:             []string{},
 	AWSZoneType:              "",
+	AWSAssumeRole:            "",
 	AzureConfigFile:          "/etc/kubernetes/azure.json",
 	AzureResourceGroup:       "",
 	CloudflareProxied:        false,
@@ -168,6 +170,7 @@ func (cfg *Config) ParseFlags(args []string) error {
 	app.Flag("zone-id-filter", "Filter target zones by hosted zone id; specify multiple times for multiple zones (optional)").Default("").StringsVar(&cfg.ZoneIDFilter)
 	app.Flag("google-project", "When using the Google provider, current project is auto-detected, when running on GCP. Specify other project with this. Must be specified when running outside GCP.").Default(defaultConfig.GoogleProject).StringVar(&cfg.GoogleProject)
 	app.Flag("aws-zone-type", "When using the AWS provider, filter for zones of this type (optional, options: public, private)").Default(defaultConfig.AWSZoneType).EnumVar(&cfg.AWSZoneType, "", "public", "private")
+	app.Flag("aws-assume-role", "When using the AWS provider, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123455567:role/external-dns` (optional)").Default(defaultConfig.AWSAssumeRole).StringVar(&cfg.AWSAssumeRole)
 	app.Flag("azure-config-file", "When using the Azure provider, specify the Azure configuration file (required when --provider=azure").Default(defaultConfig.AzureConfigFile).StringVar(&cfg.AzureConfigFile)
 	app.Flag("azure-resource-group", "When using the Azure provider, override the Azure resource group to use (optional)").Default(defaultConfig.AzureResourceGroup).StringVar(&cfg.AzureResourceGroup)
 	app.Flag("cloudflare-proxied", "When using the Cloudflare provider, specify if the proxy mode must be enabled (default: disabled)").BoolVar(&cfg.CloudflareProxied)

diff --git a/pkg/apis/externaldns/types_test.go b/pkg/apis/externaldns/types_test.go
@@ -40,6 +40,7 @@ var (
 		DomainFilter:         []string{""},
 		ZoneIDFilter:         []string{""},
 		AWSZoneType:          "",
+		AWSAssumeRole:        "",
 		AzureConfigFile:      "/etc/kubernetes/azure.json",
 		AzureResourceGroup:   "",
 		CloudflareProxied:    false,
@@ -76,6 +77,7 @@ var (
 		DomainFilter:         []string{"example.org", "company.com"},
 		ZoneIDFilter:         []string{"/hostedzone/ZTST1", "/hostedzone/ZTST2"},
 		AWSZoneType:          "private",
+		AWSAssumeRole:        "some-other-role",
 		AzureConfigFile:      "azure.json",
 		AzureResourceGroup:   "arg",
 		CloudflareProxied:    true,
@@ -147,6 +149,7 @@ func TestParseFlags(t *testing.T) {
 				"--zone-id-filter=/hostedzone/ZTST1",
 				"--zone-id-filter=/hostedzone/ZTST2",
 				"--aws-zone-type=private",
+				"--aws-assume-role=some-other-role",
 				"--policy=upsert-only",
 				"--registry=noop",
 				"--txt-owner-id=owner-1",
@@ -188,6 +191,7 @@ func TestParseFlags(t *testing.T) {
 				"EXTERNAL_DNS_PDNS_API_KEY":           "some-secret-key",
 				"EXTERNAL_DNS_ZONE_ID_FILTER":         "/hostedzone/ZTST1\n/hostedzone/ZTST2",
 				"EXTERNAL_DNS_AWS_ZONE_TYPE":          "private",
+				"EXTERNAL_DNS_AWS_ASSUME_ROLE":        "some-other-role",
 				"EXTERNAL_DNS_POLICY":                 "upsert-only",
 				"EXTERNAL_DNS_REGISTRY":               "noop",
 				"EXTERNAL_DNS_TXT_OWNER_ID":           "owner-1",

diff --git a/provider/aws.go b/provider/aws.go
@@ -21,6 +21,7 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/kubernetes-incubator/external-dns/endpoint"
@@ -79,10 +80,10 @@ type AWSProvider struct {
 }
 
 // NewAWSProvider initializes a new AWS Route53 based Provider.
-func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTypeFilter ZoneTypeFilter, dryRun bool) (*AWSProvider, error) {
+func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTypeFilter ZoneTypeFilter, assumeRole string, dryRun bool) (*AWSProvider, error) {
 	config := aws.NewConfig()
 
-	config = config.WithHTTPClient(
+	config.WithHTTPClient(
 		instrumented_http.NewClient(config.HTTPClient, &instrumented_http.Callbacks{
 			PathProcessor: func(path string) string {
 				parts := strings.Split(path, "/")
@@ -99,6 +100,11 @@ func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTy
 		return nil, err
 	}
 
+	if assumeRole != "" {
+		log.Infof("Assuming role: %s", assumeRole)
+		session.Config.WithCredentials(stscreds.NewCredentials(session, assumeRole))
+	}
+
 	provider := &AWSProvider{
 		client:         route53.New(session),
 		domainFilter:   domainFilter,