Add support for AssumeRoleWithWebIdentity

[mwieczorek]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #149 <!--- Pull Requests should have an associated issue or may be closed --->

This PR adds an option to pass webIdentityToken to Config and use it for getting credentials. No other 'source credentials' are required.

[hashicorp-cla]

All committers have signed the CLA.

[mwieczorek]

I reused config.AssumeRole 'block' here, although not every option is valid for 'assumeRoleWithWebIdentity'.
@gdavison - let me know if it's ok, or if you prefer to have something like config.WebIdentityAssumeRole

In hashicorp/terraform-provider-aws#22907 (comment) you accepted combining both at the provider level, but I don't know how it should be done here.

[gdavison]

I'm reconsidering that statement 🙂 Since the two operations support different options, it would probably be better to explicitly choose one or the other, both here and in the provider.

[mwieczorek]

ok, I changed the Config and created a separate struct for AssumeRoleWithWebIdentity

[mwieczorek]

I need it for https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials@v1.10.0/stscreds#NewWebIdentityRoleProvider / https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials@v1.10.0/stscreds#IdentityTokenRetriever

Let me know if you prefer to have 'implementation' of that interface separately from Config type

[gdavison]

Since it only references fields from c.AssumeRoleWithWebIdentity, it would probably be good to move it there

[mwieczorek]

Let me know if you'd like to additionally validate/error when AssumeRole is nil when WebIdentityToken is passed.

[mwieczorek]

I also tested it against a real AWS account/provider/role setup with simple code like

        ctx := context.Background()
	c := awsbase.Config{
		Region:           "us-east-1",
		WebIdentityToken: "<my id token>",
		AssumeRole: &config.AssumeRole{
			RoleARN: "arn:aws:iam::123456789012:role/role-name",
		},
	}
	cfg, err := awsbase.GetAwsConfig(ctx, &c)

[djcrabhat]

Oh I hit up against this exact problem today. Was gonna make in gitlab CI project to deploy something across a dozen accounts in my org via aliased providers, found I can't share one identity token file via CLI and get each provider to assume a unique role. Guess I'm in the cutting edge of terraform a CD! Thanks so much for implementing this.

[gdavison]

Thanks for creating this, @mwieczorek. It's looking good. I have a few comments so far.

[gdavison]

I'm reconsidering that statement 🙂 Since the two operations support different options, it would probably be better to explicitly choose one or the other, both here and in the provider.

[gdavison]

I've created #227 that adds tests for configuring this using environment variables or the shared config files. Those tests can be updated with support for the configuration block in addition to this test

[gdavison]

The PR #227 has been merged, so if you rebase this branch or merge main into this branch, you can pick up those tests

[gdavison]

FYI stscreds.WebIdentityRoleProvider doesn't currently support the Policy field from sts.AssumeRoleWithWebIdentityInput. I've created aws/aws-sdk-go-v2#1662 and may create a PR in the SDK

[mwieczorek]

Hi @gdavison , thank you for the review. I updated the PR, please take a look.

[gdavison]

It's looking good

[gdavison]

Since it only references fields from c.AssumeRoleWithWebIdentity, it would probably be good to move it there

[gdavison]

For the other credentials providers, we return the name of the credentials source. In this case, it would be stscreds.WebIdentityProviderName (i.e. WebIdentityCredentials)

[gdavison]

The PR #227 has been merged, so if you rebase this branch or merge main into this branch, you can pick up those tests

[mwieczorek]

hi @gdavison
I moved GetIdentityToken as you suggested, and changed credentialsProvider name returned from getCredentialsProvider

I also rebased this PR, and updated test cases in TestAssumeRoleWithWebIdentity. I changed the input struct (removed SetConfig, added SetConfigTokenFile - this allows me to have separate test cases when we pass to config token directly or when we pass path to file with token). Let me know what you think.

[gdavison]

This is great, @mwieczorek. Since AWS has added Duration and Policy to stscreds.WebIdentityRoleOptions (aws/aws-sdk-go-v2#1670), I've added them to AssumeRoleWithWebIdentity. I've also added the ability to assume another role after using the web identity

[mwieczorek]

thanks @gdavison for all your help :)