Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloud: support chaining of assumed roles #83712

Merged
merged 1 commit into from
Jul 18, 2022

Conversation

rhu713
Copy link
Contributor

@rhu713 rhu713 commented Jul 1, 2022

Previously, a user could only assume a role in AWS or GCP directly, via the
identity specified by implicit or specified auth. This was inadequate because
there is a need to support role assumption through a chain of intermediate
delegate roles. To address this, this patch allows the ASSUME_ROLE parameter
in AWS and GCP storage and KMS URIs to specify a list of roles with a
comma-separated string. The roles in the list can then be chain assumed in
order to access the resource specified by the URI.

With this patch, if a destination in S3 can only be accessed by RoleB, and the
identity corresponding to implicit auth can only assume RoleB through an
intermediate role RoleA, then this chain assumption can be specified in the S3
URI:
s3://bucket/key?AUTH=implicit&ASSUME_ROLE=RoleA,RoleB

In addition, the parameters for auth in AWS URIs via assume role have been
changed so that the "assume" auth mode no longer exists, and the ASSUME_ROLE
param can be specified for both "specified" and "implicit" auth.

Finally, some AWS cloud unit tests, including the assume role tests, have been
added to the unit test nightly.

Release note (enterprise change): Allow the ASSUME_ROLE parameter in AWS and
GCP storage and KMS URIs to specify a list of roles with a comma-separated
string. The roles in the list can then be chain assumed in order to access the
resource specified by the URI.

For example, if a destination in S3 can only be accessed by RoleB, and the
identity corresponding to implicit auth can only assume RoleB through an
intermediate role RoleA, then this chain assumption can be specified in the S3
URI:
s3://bucket/key?AUTH=implicit&ASSUME_ROLE=RoleA,RoleB

In addition, remove the "assume" auth mode from AWS URIs, and instead use the
ASSUME_ROLE parameter to indicate that a role should be assumed for
authentication. Below are some examples:

S3: s3:///?AUTH=specified&ASSUME_ROLE=<role_arn>&AWS_ACCESS_KEY_ID=<access_key>&AWS_SECRET_ACCESS_KEY=<secret_key>
AWS KMS: aws:///<key_arn>?AUTH=implicit&REGION=&ASSUME_ROLE=<role_arn>

Addresses #81453

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@rhu713 rhu713 force-pushed the role-chaining branch 11 times, most recently from 7dbff55 to f7c0a41 Compare July 5, 2022 20:07
@rhu713 rhu713 marked this pull request as ready for review July 5, 2022 21:03
@rhu713 rhu713 requested a review from a team as a code owner July 5, 2022 21:03
@rhu713 rhu713 requested a review from a team July 5, 2022 21:03
@rhu713 rhu713 requested a review from a team as a code owner July 5, 2022 21:03
@rhu713 rhu713 requested a review from msbutler July 5, 2022 21:03
@msbutler msbutler requested review from adityamaru and removed request for msbutler July 7, 2022 10:31
@rhu713 rhu713 changed the title Role chaining cloud: support chaining of assumed roles Jul 11, 2022
Copy link
Contributor

@adityamaru adityamaru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM! Just a few nits and a question about testing IMPLICT + chaining everywhere. Thanks for adding the AWS tests to the nightly as well 🙌

pkg/cloud/amazon/aws_kms.go Show resolved Hide resolved
pkg/cloud/gcp/gcs_storage.go Outdated Show resolved Hide resolved
pkg/cloud/uris.go Outdated Show resolved Hide resolved
pkg/cloud/gcp/gcs_storage_test.go Outdated Show resolved Hide resolved
pkg/cloud/amazon/aws_kms_test.go Outdated Show resolved Hide resolved
pkg/cloud/amazon/s3_storage.go Outdated Show resolved Hide resolved
pkg/cloud/amazon/s3_storage.go Show resolved Hide resolved
pkg/cloud/amazon/s3_storage_test.go Outdated Show resolved Hide resolved
Previously, a user could only assume a role in AWS or GCP directly, via the
identity specified by implicit or specified auth. This was inadequate because
there is a need to support role assumption through a chain of intermediate
delegate roles. To address this, this patch allows the ASSUME_ROLE parameter
in AWS and GCP storage and KMS URIs to specify a list of roles with a
comma-separated string. The roles in the list can then be chain assumed in
order to access the resource specified by the URI.

With this patch, if a destination in S3 can only be accessed by RoleB, and the
identity corresponding to implicit auth can only assume RoleB through an
intermediate role RoleA, then this chain assumption can be specified in the S3
URI:
s3://bucket/key?AUTH=implicit&ASSUME_ROLE=RoleA,RoleB

In addition, the parameters for auth in AWS URIs via assume role have been
changed so that the "assume" auth mode no longer exists, and the ASSUME_ROLE
param can be specified for both "specified" and "implicit" auth.

Finally, some AWS cloud unit tests, including the assume role tests, have been
added to the unit test nightly.

Release note (enterprise change): Allow the ASSUME_ROLE parameter in AWS and
GCP storage and KMS URIs to specify a list of roles with a comma-separated
string. The roles in the list can then be chain assumed in order to access the
resource specified by the URI.

For example, if a destination in S3 can only be accessed by RoleB, and the
identity corresponding to implicit auth can only assume RoleB through an
intermediate role RoleA, then this chain assumption can be specified in the S3
URI:
s3://bucket/key?AUTH=implicit&ASSUME_ROLE=RoleA,RoleB

In addition, remove the "assume" auth mode from AWS URIs, and instead use the
ASSUME_ROLE parameter to indicate that a role should be assumed for
authentication. Below are some examples:

S3: s3://<bucket>/<key>?AUTH=specified&ASSUME_ROLE=<role_arn>&AWS_ACCESS_KEY_ID=<access_key>&AWS_SECRET_ACCESS_KEY=<secret_key>
AWS KMS: aws:///<key_arn>?AUTH=implicit&REGION=<region>&ASSUME_ROLE=<role_arn>
@rhu713
Copy link
Contributor Author

rhu713 commented Jul 18, 2022

bors r+

@craig
Copy link
Contributor

craig bot commented Jul 18, 2022

Build failed:

@rhu713
Copy link
Contributor Author

rhu713 commented Jul 18, 2022

bors retry

@craig
Copy link
Contributor

craig bot commented Jul 18, 2022

Build failed (retrying...):

@craig
Copy link
Contributor

craig bot commented Jul 18, 2022

Build failed (retrying...):

@craig
Copy link
Contributor

craig bot commented Jul 18, 2022

Build succeeded:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants