Use the access key for the fleetshard-sync AWS auth on the local dev environment

dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml

@@ -9,4 +9,5 @@ stringData:
   rhsso-service-account-client-id: "${RHSSO_SERVICE_ACCOUNT_CLIENT_ID}"
   rhsso-service-account-client-secret: "${RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}"
   aws-role-arn: "${AWS_ROLE_ARN}"
-  aws-token: "${AWS_STATIC_TOKEN}"
+  aws-access-key-id: "${AWS_ACCESS_KEY_ID}"
+  aws-secret-access-key: "${AWS_SECRET_ACCESS_KEY}"

dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml

@@ -51,11 +51,16 @@ spec:
               value: "$MANAGED_DB_SUBNET_GROUP"
             - name: MANAGED_DB_PERFORMANCE_INSIGHTS
               value: "$MANAGED_DB_PERFORMANCE_INSIGHTS"
-            - name: AWS_ROLE_ARN
+            - name: AWS_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
                   name: fleetshard-sync
-                  key: "aws-role-arn"
+                  key: "aws-access-key-id"
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: fleetshard-sync
+                  key: "aws-secret-access-key"
           image: "${FLEET_MANAGER_IMAGE}"
           imagePullPolicy: IfNotPresent
           name: fleetshard-sync
@@ -65,8 +70,6 @@ spec:
               name: secrets
             - mountPath: /config
               name: config
-            - mountPath: /var/run/secrets/tokens
-              name: aws-token
       restartPolicy: Always
       volumes:
         - name: secrets
@@ -76,9 +79,3 @@ spec:
         - name: config
           configMap:
             name: config
-        - name: aws-token
-          secret:
-            secretName: fleetshard-sync # pragma: allowlist secret
-            items:
-              - key: aws-token
-                path: aws-token

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml

@@ -8,3 +8,7 @@ metadata:
 stringData:
   rhsso-service-account-client-id: {{ .Values.fleetshardSync.redHatSSO.clientId | quote }}
   rhsso-service-account-client-secret: {{ .Values.fleetshardSync.redHatSSO.clientSecret | quote }}
+  {{- if eq .Values.fleetshardSync.aws.enableTokenAuth false }}
+  aws-access-key-id: {{ required "fleetshardSync.aws.accessKeyId is required when fleetshardSync.aws.enableTokenAuth = false" .Values.fleetshardSync.aws.accessKeyId | quote }}
+  aws-secret-access-key: {{ required "fleetshardSync.aws.secretAccessKey is required when fleetshardSync.aws.enableTokenAuth = false" .Values.fleetshardSync.aws.secretAccessKey | quote }}
+  {{- end }}

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml

@@ -80,6 +80,21 @@ spec:
           value: {{ .Values.fleetshardSync.telemetry.storage.endpoint | quote }}
         - name: TELEMETRY_STORAGE_KEY
           value: {{ .Values.fleetshardSync.telemetry.storage.key | quote }}
+        {{- if .Values.fleetshardSync.aws.enableTokenAuth }}
+        - name: AWS_WEB_IDENTITY_TOKEN_FILE
+          value: "/var/run/secrets/tokens/aws-token"
+        {{- else }}
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: fleetshard-sync
+              key: "aws-access-key-id"
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: fleetshard-sync
+              key: "aws-secret-access-key"
+        {{- end }}
         volumeMounts:
           - mountPath: /var/run/secrets/tokens
             name: aws-token

dp-terraform/helm/rhacs-terraform/values.yaml

@@ -35,6 +35,9 @@ fleetshardSync:
   aws:
     region: "us-east-1"  # TODO(2023-05-01): Remove the default value here as we now set it explicitly
     roleARN: ""
+    enableTokenAuth: true
+    accessKeyId: ""
+    secretAccessKey: ""
   telemetry:
     storage:
       endpoint: ""

fleetshard/config/config.go

@@ -30,18 +30,10 @@ type Config struct {
 	FeatureFlagUpgradeOperatorEnabled bool          `env:"FEATURE_FLAG_UPGRADE_OPERATOR_ENABLED" envDefault:"false"`
 	BaseCrdURL                        string        `env:"BASE_CRD_URL" envDefault:"https://raw.githubusercontent.com/stackrox/stackrox/%s/operator/bundle/manifests/"`
 
-	AWS       AWS
 	ManagedDB ManagedDB
 	Telemetry Telemetry
 }
 
-// AWS for configuring AWS specific parameters
-type AWS struct {
-	Region    string `env:"AWS_REGION" envDefault:"us-east-1"`
-	RoleARN   string `env:"AWS_ROLE_ARN"`
-	TokenFile string `env:"AWS_STS_TOKEN_FILE" envDefault:"/var/run/secrets/tokens/aws-token"`
-}
-
 // ManagedDB for configuring managed DB specific parameters
 type ManagedDB struct {
 	Enabled             bool   `env:"MANAGED_DB_ENABLED" envDefault:"false"`
@@ -86,9 +78,6 @@ func validateManagedDBConfig(c Config, configErrors *errorhelpers.ErrorList) {
 	if !c.ManagedDB.Enabled {
 		return
 	}
-	if c.AWS.RoleARN == "" {
-		configErrors.AddError(errors.New("MANAGED_DB_ENABLED == true and AWS_ROLE_ARN unset in the environment"))
-	}
 	if c.ManagedDB.SecurityGroup == "" {
 		configErrors.AddError(errors.New("MANAGED_DB_ENABLED == true and MANAGED_DB_SECURITY_GROUP unset in the environment"))
 	}

fleetshard/config/config_test.go

@@ -30,30 +30,17 @@ func TestSingleton_Failure(t *testing.T) {
 
 func TestSingleton_Success_WhenManagedDBEnabled(t *testing.T) {
 	t.Setenv("CLUSTER_ID", "some-value")
-	t.Setenv("AWS_ROLE_ARN", "arn:aws:iam::012456789:role/fake_role")
 	t.Setenv("MANAGED_DB_ENABLED", "true")
 	t.Setenv("MANAGED_DB_SECURITY_GROUP", "some-group")
 	cfg, err := GetConfig()
 	require.NoError(t, err)
-	assert.Equal(t, cfg.AWS.RoleARN, "arn:aws:iam::012456789:role/fake_role")
-	assert.Equal(t, cfg.AWS.Region, "us-east-1")
 	assert.Equal(t, cfg.ManagedDB.Enabled, true)
 	assert.Equal(t, cfg.ManagedDB.SecurityGroup, "some-group")
 }
 
-func TestSingleton_Failure_WhenManagedDBEnabledAndAWSRoleArnNotSet(t *testing.T) {
-	t.Setenv("CLUSTER_ID", "some-value")
-	t.Setenv("MANAGED_DB_ENABLED", "true")
-	t.Setenv("MANAGED_DB_SECURITY_GROUP", "some-group")
-	cfg, err := GetConfig()
-	assert.Error(t, err, "MANAGED_DB_ENABLED == true and AWS_ROLE_ARN unset in the environment")
-	assert.Nil(t, cfg)
-}
-
 func TestSingleton_Failure_WhenManagedDBEnabledAndManagedDbSecurityGroupNotSet(t *testing.T) {
 	t.Setenv("CLUSTER_ID", "some-value")
 	t.Setenv("MANAGED_DB_ENABLED", "true")
-	t.Setenv("AWS_ROLE_ARN", "arn:aws:iam::012456789:role/fake_role")
 	cfg, err := GetConfig()
 	assert.Error(t, err, "MANAGED_DB_ENABLED == true and MANAGED_DB_SECURITY_GROUP unset in the environment")
 	assert.Nil(t, cfg)

fleetshard/pkg/central/cloudprovider/awsclient/rds.go

@@ -9,11 +9,8 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
-	awscredentials "github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/rds"
-	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/golang/glog"
 	"github.com/stackrox/acs-fleet-manager/fleetshard/config"
 	"github.com/stackrox/acs-fleet-manager/fleetshard/pkg/central/cloudprovider"
@@ -327,7 +324,7 @@ func (r *RDS) waitForInstanceToBeAvailable(ctx context.Context, instanceID strin
 
 // NewRDSClient initializes a new awsclient.RDS
 func NewRDSClient(config *config.Config) (*RDS, error) {
-	rdsClient, err := newRdsClient(config.AWS)
+	rdsClient, err := newRdsClient()
 	if err != nil {
 		return nil, fmt.Errorf("unable to create RDS client: %w", err)
 	}
@@ -432,22 +429,8 @@ func newDeleteCentralDBClusterInput(clusterID string, skipFinalSnapshot bool) *r
 	return input
 }
 
-func newRdsClient(awsConfig config.AWS) (*rds.RDS, error) {
-	cfg := &aws.Config{
-		Region: aws.String(awsConfig.Region),
-	}
-	sess, err := session.NewSession(cfg)
-	if err != nil {
-		return nil, fmt.Errorf("unable to create session for STS client: %w", err)
-	}
-	stsClient := sts.New(sess)
-
-	roleProvider := stscreds.NewWebIdentityRoleProviderWithOptions(stsClient, awsConfig.RoleARN, "rds",
-		stscreds.FetchTokenPath(awsConfig.TokenFile))
-
-	cfg.Credentials = awscredentials.NewCredentials(roleProvider)
-
-	sess, err = session.NewSession(cfg)
+func newRdsClient() (*rds.RDS, error) {
+	sess, err := session.NewSession()
 	if err != nil {
 		return nil, fmt.Errorf("unable to create session for RDS client: %w", err)
 	}

fleetshard/pkg/central/reconciler/reconciler_test.go

@@ -190,14 +190,16 @@ func TestReconcileCreateWithLabelOperatorVersion(t *testing.T) {
 }
 
 func TestReconcileCreateWithManagedDBNoCredentials(t *testing.T) {
+	t.Setenv("AWS_ACCESS_KEY", "")
+	t.Setenv("AWS_SECRET_ACCESS_KEY", "")
+	t.Setenv("AWS_REGION", "us-east-1")
+	t.Setenv("AWS_ROLE_ARN", "arn:aws:iam::012456789:role/fake_role")
+	t.Setenv("AWS_WEB_IDENTITY_TOKEN_FILE", "/var/run/secrets/tokens/aws-token")
+
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
 
 	managedDBProvisioningClient, err := awsclient.NewRDSClient(
 		&config.Config{
-			AWS: config.AWS{
-				Region:  "us-east-1",
-				RoleARN: "arn:aws:iam::012456789:role/fake_role",
-			},
 			ManagedDB: config.ManagedDB{
 				SecurityGroup: "security-group",
 				SubnetGroup:   "db-group",