Skip to content

Commit

Permalink
ref: use AWS's AssumeRoleProvider to refresh credentials
Browse files Browse the repository at this point in the history
  • Loading branch information
Martin Linkhorst committed Apr 17, 2018
1 parent 587b412 commit 4dd4dec
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 24 deletions.
3 changes: 2 additions & 1 deletion pkg/apis/externaldns/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ var defaultConfig = &Config{
GoogleProject: "",
DomainFilter: []string{},
AWSZoneType: "",
AWSAssumeRole: "",
AzureConfigFile: "/etc/kubernetes/azure.json",
AzureResourceGroup: "",
CloudflareProxied: false,
Expand Down Expand Up @@ -165,7 +166,7 @@ func (cfg *Config) ParseFlags(args []string) error {
app.Flag("zone-id-filter", "Filter target zones by hosted zone id; specify multiple times for multiple zones (optional)").Default("").StringsVar(&cfg.ZoneIDFilter)
app.Flag("google-project", "When using the Google provider, current project is auto-detected, when running on GCP. Specify other project with this. Must be specified when running outside GCP.").Default(defaultConfig.GoogleProject).StringVar(&cfg.GoogleProject)
app.Flag("aws-zone-type", "When using the AWS provider, filter for zones of this type (optional, options: public, private)").Default(defaultConfig.AWSZoneType).EnumVar(&cfg.AWSZoneType, "", "public", "private")
app.Flag("aws-assume-role", "TODO").StringVar(&cfg.AWSAssumeRole)
app.Flag("aws-assume-role", "When using the AWS provider, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123455567:role/external-dns` (optional)").Default(defaultConfig.AWSAssumeRole).StringVar(&cfg.AWSAssumeRole)
app.Flag("azure-config-file", "When using the Azure provider, specify the Azure configuration file (required when --provider=azure").Default(defaultConfig.AzureConfigFile).StringVar(&cfg.AzureConfigFile)
app.Flag("azure-resource-group", "When using the Azure provider, override the Azure resource group to use (optional)").Default(defaultConfig.AzureResourceGroup).StringVar(&cfg.AzureResourceGroup)
app.Flag("cloudflare-proxied", "When using the Cloudflare provider, specify if the proxy mode must be enabled (default: disabled)").BoolVar(&cfg.CloudflareProxied)
Expand Down
4 changes: 4 additions & 0 deletions pkg/apis/externaldns/types_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ var (
DomainFilter: []string{""},
ZoneIDFilter: []string{""},
AWSZoneType: "",
AWSAssumeRole: "",
AzureConfigFile: "/etc/kubernetes/azure.json",
AzureResourceGroup: "",
CloudflareProxied: false,
Expand Down Expand Up @@ -74,6 +75,7 @@ var (
DomainFilter: []string{"example.org", "company.com"},
ZoneIDFilter: []string{"/hostedzone/ZTST1", "/hostedzone/ZTST2"},
AWSZoneType: "private",
AWSAssumeRole: "some-other-role",
AzureConfigFile: "azure.json",
AzureResourceGroup: "arg",
CloudflareProxied: true,
Expand Down Expand Up @@ -141,6 +143,7 @@ func TestParseFlags(t *testing.T) {
"--zone-id-filter=/hostedzone/ZTST1",
"--zone-id-filter=/hostedzone/ZTST2",
"--aws-zone-type=private",
"--aws-assume-role=some-other-role",
"--policy=upsert-only",
"--registry=noop",
"--txt-owner-id=owner-1",
Expand Down Expand Up @@ -180,6 +183,7 @@ func TestParseFlags(t *testing.T) {
"EXTERNAL_DNS_DOMAIN_FILTER": "example.org\ncompany.com",
"EXTERNAL_DNS_ZONE_ID_FILTER": "/hostedzone/ZTST1\n/hostedzone/ZTST2",
"EXTERNAL_DNS_AWS_ZONE_TYPE": "private",
"EXTERNAL_DNS_AWS_ASSUME_ROLE": "some-other-role",
"EXTERNAL_DNS_POLICY": "upsert-only",
"EXTERNAL_DNS_REGISTRY": "noop",
"EXTERNAL_DNS_TXT_OWNER_ID": "owner-1",
Expand Down
27 changes: 4 additions & 23 deletions provider/aws.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,9 @@ import (
"strings"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/route53"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/kubernetes-incubator/external-dns/endpoint"
"github.com/kubernetes-incubator/external-dns/plan"
"github.com/linki/instrumented_http"
Expand Down Expand Up @@ -84,7 +83,7 @@ type AWSProvider struct {
func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTypeFilter ZoneTypeFilter, assumeRole string, dryRun bool) (*AWSProvider, error) {
config := aws.NewConfig()

config = config.WithHTTPClient(
config.WithHTTPClient(
instrumented_http.NewClient(config.HTTPClient, &instrumented_http.Callbacks{
PathProcessor: func(path string) string {
parts := strings.Split(path, "/")
Expand All @@ -102,26 +101,8 @@ func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTy
}

if assumeRole != "" {
svc := sts.New(session)

params := &sts.AssumeRoleInput{
RoleArn: aws.String(assumeRole),
RoleSessionName: aws.String("external-dns"),
}

log.Infof("Assuming role %s..", aws.StringValue(params.RoleArn))

resp, err := svc.AssumeRole(params)
if err != nil {
return nil, err
}

session.Config.WithCredentials(credentials.NewStaticCredentialsFromCreds(credentials.Value{
AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId),
SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey),
SessionToken: aws.StringValue(resp.Credentials.SessionToken),
ProviderName: "assumeRoleProvider",
}))
log.Infof("Assuming role: %s", assumeRole)
config.WithCredentials(stscreds.NewCredentials(session, assumeRole))
}

provider := &AWSProvider{
Expand Down

0 comments on commit 4dd4dec

Please sign in to comment.