Merge pull request #23 from Keyfactor/release-2.1

Release 2.1.0 merge to main

Author: fiddlermikey

CHANGELOG.md

@@ -1,3 +1,7 @@
+2.1.0
+* Allow EC2 default credentials to also run the Assume Role command
+* Add sts:ExtenalId parameter option to Assume Role calls (not applicable when using OAuth)
+
 2.0.2
 * Return parity to original AWS store type organization - differentiating based on AWS Account ID
 

README.md

@@ -114,9 +114,6 @@ AWS Certificate Manager is a service that lets you easily provision, manage, and
 - Inventory Root Certificates
 - Inventory Certificates with Public and Private Keys
 
-### Assumptions:
-- In order for the Certificates and Keys to renew or reenroll correctly, they need to derive of the <alias> which is passed into the any agent.  The <alias> drives the files and object creation and is essentially how we are able to relate them to each other.
-
 ### Not Implemented/Supported
 - Reenrollment, Management, Discovery
 
@@ -131,7 +128,7 @@ Options for authenticating:
 2. IAM User Auth configuration (refer to `AwsCerManA` below)
 3. EC2 Role Auth or other default method supported by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html)
 
-As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. Additionally, the EC2 credentials do not use the AWS Account ID specified in the certificate store and only use the single account/role indicated by the EC2 settings.
+As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. When the option to assume an EC2 role is selected, the Account ID and Role will be assumed using the default credentials supplied in the EC2 instance via the AWS SDK.
 1. Assign or note the existing IAM Role assigned to the EC2 instance running
 2. Make sure that role has access to ACM
 3. When configuring the `AWS-ACM` store, do not select either IAM or OAuth methods in the store's settings. This will make it use the AWS SDK to lookup EC2 credentials.
@@ -173,13 +170,16 @@ target server containing the certificate store to be managed
 
 Name|Display Name|Type|Default Value|Depends On|Required|Description
 ---|---|---|---|---|---|---
+UseEC2AssumeRole | Assume new Account / Role in EC2 | boolean | False | N/A | Yes | A switch to enable the store to assume a new Account ID and Role when using EC2 credentials
 UseOAuth | Use OAuth 2.0 Provider | boolean | False | N/A | Yes | A switch to enable the store to use an OAuth provider workflow to authenticate with AWS ACM
 UseIAM | Use IAM User Auth | boolean | False | N/A | Yes | A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS ACM
+EC2AssumeRole | AWS Role to Assume (EC2) | string | N/A | UseEC2AssumeRole | The AWS Role to assume using the EC2 instance credentials
 OAuthScope | OAuth Scope | string | N/A | Use OAuth 2.0 Provider | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta
 OAuthGrantType | OAuth Grant Type | string | client_credentials | Use OAuth 2.0 Provider | No | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. In Okta this is `client_credentials`
 OAuthUrl | OAuth URL | string | https://***/oauth2/default/v1/token | Use OAuth 2.0 Provider | No | The URL to request a token from your OAuth Provider. Fill this out with the correct URL.
 OAuthAssumeRole | AWS Role to Assume (OAuth) | string | N/A | Use OAuth 2.0 Provider | No | The AWS Role to assume after getting an OAuth token.
 IAMAssumeRole | AWS Role to Assume (IAM) | string | N/A | Use IAM User Auth | No | The AWS Role to assume as the IAM User.
+ExternalId | sts:ExternalId | string | N/A | N/A | No | An optional parameter sts:ExternalId to pass with Assume Role calls
 
 
 **Entry Parameters:**
@@ -204,13 +204,16 @@ Cert Store Settings
 | User Name | See Below | See Below |
 | Password | See Below | See Below |
 | Store Path | us-east-1,us-east-2,...,etc. | The AWS Region, or a comma-separated list of multiple regions, the store will operate in. |
+| Assume new Account / Role in EC2 | Use the EC2 credentials to make an Assume Role request to change Role and Account ID in use | Set to true to use EC2 credentials and assume a different role than the default EC2 role. |
 | Use OAuth 2.0 Provider | Use an OAuth provider to authenticate with AWS | Set to true to enable OAuth usage and display additional OAuth fields |
 | Use IAM User Auth | Use an IAM user's credentials to assume a role | Set to true to enable IAM user auth and the IAM Account ID field. |
+| AWS Role to Assume (EC2) | AWS Role | Displayed and required when using Assume new Account / Role in EC2. This Role is assumed using the EC2 default credentials. |
 | OAuth Scope | Look in OAuth provider for Scope | Displayed and required when using OAuth 2.0 Provider. OAuth scope setup in the Okta Application or other OAuth provider |
 | OAuth Grant Type | client_credentials | Displayed and required when using OAuth 2.0 Provider. This may vary depending on Okta setup but will most likely be this value. |
 | OAuth URL | https://***/oauth2/default/v1/token | Displayed and required when using OAuth 2.0 Provider. URL to request token from OAuth provider. Example given is for an Okta token. |
 | AWS Role to Assume (OAuth) | AWS Role | Displayed and required when using OAuth 2.0 Provider. This Role is assumed after getting an OAuth token. |
 | AWS Role to Assume (IAM) | AWS Role | Displayed and required when using IAM User Auth. This Role is assumed with the IAM credentials. |
+| sts:ExternalId | Configured AWS External ID | An optional field to enter an External ID value set in AWS, which may be required to make Assume Role calls. |
 
 The User Name and Password fields are used differently based on the auth method you intend to use. The three options for auth are IAM User, OAuth, or default auth.
 
@@ -220,8 +223,8 @@ The User Name and Password fields are used differently based on the auth method
 | IAM User | Password | Set to the IAM User's AWS `Access Secret` |
 | OAuth 2.0 | User Name | Set to the OAuth `Client ID` |
 | OAuth 2.0 | Password | Set to the OAuth `Client Secret` |
-| Default (SDK) | User Name | No Value |
-| Default (SDK) | Password | No Value |
+| Default EC2 (SDK) | User Name | No Value |
+| Default EC2 (SDK) | Password | No Value |
 
 </details>
 </details>

aws-orchestrator-core/AuthUtilities.cs

@@ -30,8 +30,8 @@
 
 namespace Keyfactor.AnyAgent.AwsCertificateManager
 {
-	public class AuthUtilities
-	{
+    public class AuthUtilities
+    {
         private readonly ILogger _logger;
         private readonly IPAMSecretResolver _pam;
 
@@ -41,8 +41,8 @@ public AuthUtilities(IPAMSecretResolver pam, ILogger logger)
             _logger = logger;
         }
 
-		public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration jobConfiguration, CertificateStore certStore)
-		{
+        public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration jobConfiguration, CertificateStore certStore)
+        {
             _logger.MethodEntry();
             _logger.LogDebug("Selecting credential method.");
 
@@ -60,7 +60,7 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration
                 _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field");
 
                 _logger.LogTrace("Attempting to authenticate with AWS using IAM access credentials.");
-                return AwsAuthenticate(accessKey, accessSecret, awsAccountId, awsRole);
+                return AwsAuthenticate(accessKey, accessSecret, awsAccountId, awsRole, customFields.ExternalId);
             }
             else if (customFields.UseOAuth)
             {
@@ -88,6 +88,21 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration
                 _logger.LogTrace("Attempting to authenticate with AWS using OAuth response.");
                 return AwsAuthenticateWithWebIdentity(authResponse, awsAccountId, awsRole);
             }
+            else if (customFields.UseEC2AssumeRole)
+            {
+                // use SDK credential resolution, but run Assume Role
+                _logger.LogInformation("Using default AWS SDK credential resolution with Assume Role for creating AWS Credentials.");
+                string accessKey = null;
+                string accessSecret = null;
+
+                string awsRole = customFields.EC2AssumeRole;
+                _logger.LogDebug($"Assuming AWS Role - {awsRole}");
+
+                _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field");
+
+                _logger.LogTrace("Attempting to assume new Role with AWS using default AWS SDK credential.");
+                return AwsAuthenticate(accessKey, accessSecret, awsAccountId, awsRole, customFields.ExternalId);
+            }
             else // use default SDK credential resolution
             {
                 _logger.LogInformation("Using default AWS SDK credential resolution for creating AWS Credentials.");
@@ -96,23 +111,23 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration
             }
         }
 
-		public Credentials AwsAuthenticateWithWebIdentity(OAuthResponse authResponse, string awsAccount, string awsRole)
-		{
+        public Credentials AwsAuthenticateWithWebIdentity(OAuthResponse authResponse, string awsAccount, string awsRole)
+        {
             _logger.MethodEntry();
-			Credentials credentials = null;
-			try
-			{
-				var account = awsAccount;
+            Credentials credentials = null;
+            try
+            {
+                var account = awsAccount;
                 _logger.LogTrace($"Using AWS Account - {account}");
-				var stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
+                var stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
                 _logger.LogTrace("Created AWS STS client with anonymous credentials.");
-				var assumeRequest = new AssumeRoleWithWebIdentityRequest
-				{
-					WebIdentityToken = authResponse?.AccessToken,
-					RoleArn = $"arn:aws:iam::{account}:role/{awsRole}",
-					RoleSessionName = "KeyfactorSession",
-					DurationSeconds = Convert.ToInt32(authResponse?.ExpiresIn)
-				};
+                var assumeRequest = new AssumeRoleWithWebIdentityRequest
+                {
+                    WebIdentityToken = authResponse?.AccessToken,
+                    RoleArn = $"arn:aws:iam::{account}:role/{awsRole}",
+                    RoleSessionName = "KeyfactorSession",
+                    DurationSeconds = Convert.ToInt32(authResponse?.ExpiresIn)
+                };
                 var logAssumeRequest = new
                 {
                     WebIdentityToken = "**redacted**",
@@ -123,58 +138,85 @@ public Credentials AwsAuthenticateWithWebIdentity(OAuthResponse authResponse, st
                 _logger.LogDebug($"Prepared Assume Role With Web Identity request with fields: {logAssumeRequest}");
 
                 _logger.LogTrace("Submitting Assume Role With Web Identity request.");
-				var assumeResult = AsyncHelpers.RunSync(() => stsClient.AssumeRoleWithWebIdentityAsync(assumeRequest));
+                var assumeResult = AsyncHelpers.RunSync(() => stsClient.AssumeRoleWithWebIdentityAsync(assumeRequest));
                 _logger.LogTrace("Received response to Assume Role With Web Identity request.");
-				credentials = assumeResult.Credentials;
-			}
-			catch (Exception e)
-			{
+                credentials = assumeResult.Credentials;
+            }
+            catch (Exception e)
+            {
                 _logger.LogError($"Error Occurred in AwsAuthenticateWithWebIdentity: {e.Message}");
 
                 throw;
-			}
+            }
 
-			return credentials;
-		}
+            return credentials;
+        }
 
-		public Credentials AwsAuthenticate(string accessKey, string accessSecret, string awsAccount, string awsRole)
-		{
+        public Credentials AwsAuthenticate(string accessKey, string accessSecret, string awsAccount, string awsRole, string externalId = null)
+        {
             _logger.MethodEntry();
-			Credentials credentials = null;
-			try
-			{
-				var account = awsAccount;
+            Credentials credentials = null;
+            try
+            {
+                var account = awsAccount;
                 _logger.LogTrace($"Using AWS Account - {account}");
-                var stsClient = new AmazonSecurityTokenServiceClient(accessKey, accessSecret);
-                _logger.LogTrace("Created AWS STS client with IAM user credentials.");
-				var assumeRequest = new AssumeRoleRequest
-				{
-					RoleArn = $"arn:aws:iam::{account}:role/{awsRole}",
-					RoleSessionName = "KeyfactorSession"
-				};
 
-                var logAssumeRequest = new
+                AmazonSecurityTokenServiceClient stsClient;
+                if (accessKey != null && accessSecret != null)
                 {
-                    assumeRequest.RoleArn,
-                    assumeRequest.RoleSessionName
+                    stsClient = new AmazonSecurityTokenServiceClient(accessKey, accessSecret);
+                    _logger.LogTrace("Created AWS STS client with IAM user credentials.");
+                }
+                else
+                {
+                    stsClient = new AmazonSecurityTokenServiceClient();
+                    _logger.LogTrace("Created AWS STS client with default credential resolution.");
+                }
+
+                var assumeRequest = new AssumeRoleRequest
+                {
+                    RoleArn = $"arn:aws:iam::{account}:role/{awsRole}",
+                    RoleSessionName = "KeyfactorSession",
                 };
-                _logger.LogDebug($"Prepared Assume Role request with fields: {logAssumeRequest}");
 
+                if (string.IsNullOrWhiteSpace(externalId))
+                {
+                    // no sts:ExternalId
+                    var logAssumeRequest = new
+                    {
+                        assumeRequest.RoleArn,
+                        assumeRequest.RoleSessionName
+                    };
+                    _logger.LogDebug($"Prepared Assume Role request with fields: {logAssumeRequest}");
+                }
+                else
+                {
+                    // include sts:ExternalId with assume role request
+                    assumeRequest.ExternalId = externalId;
+                    var logAssumeRequestWithExternalId = new
+                    {
+                        assumeRequest.RoleArn,
+                        assumeRequest.RoleSessionName,
+                        assumeRequest.ExternalId
+                    };
+                    _logger.LogDebug($"Prepared Assume Role request with fields: {logAssumeRequestWithExternalId}");
+
+                }
                 _logger.LogTrace("Submitting Assume Role request.");
                 var assumeResult = AsyncHelpers.RunSync(() => stsClient.AssumeRoleAsync(assumeRequest));
                 _logger.LogTrace("Received response to Assume Role request.");
-				credentials = assumeResult.Credentials;
-			}
-			catch (Exception e)
-			{
+                credentials = assumeResult.Credentials;
+            }
+            catch (Exception e)
+            {
                 _logger.LogError($"Error Occurred in AwsAuthenticate: {e.Message}");
-				throw;
-			}
+                throw;
+            }
 
-			return credentials;
-		}
+            return credentials;
+        }
 
-		public OAuthResponse OAuthAuthenticate(OAuthParameters parameters)
+        public OAuthResponse OAuthAuthenticate(OAuthParameters parameters)
         {
             try
             {
@@ -242,5 +284,5 @@ public string ResolvePamField(string field, string fieldName)
                 return field;
             }
         }
-	}
+    }
 }

aws-orchestrator-core/CustomFields.cs

@@ -49,6 +49,10 @@ public class IAMCustomFields : CustomFields
 
 	public class ACMCustomFields
 	{
+		[JsonProperty("UseEC2AssumeRole")]
+		[DefaultValue(false)]
+		public bool UseEC2AssumeRole { get; set; }
+
 		[JsonProperty("UseOAuth")]
 		[DefaultValue(false)]
 		public bool UseOAuth { get; set; }
@@ -57,6 +61,9 @@ public class ACMCustomFields
 		[DefaultValue(false)]
 		public bool UseIAM { get; set; }
 
+		[JsonProperty("EC2AssumeRole")]
+		public string EC2AssumeRole { get; set; }
+
 		[JsonProperty("OAuthAssumeRole")]
 		public string OAuthAssumeRole { get; set; }
 
@@ -71,5 +78,8 @@ public class ACMCustomFields
 
 		[JsonProperty("IAMAssumeRole")]
 		public string IAMAssumeRole { get; set; }
+
+		[JsonProperty("ExternalId")]
+		public string ExternalId { get; set; }
 	}
 }

integration-manifest.json

@@ -45,6 +45,14 @@
             "Remove": true
           },
           "Properties": [
+            {
+              "Name": "UseEC2AssumeRole",
+              "DisplayName": "Assume new Account / Role in EC2",
+              "Type": "Bool",
+              "DependsOn": null,
+              "DefaultValue": "false",
+              "Required": true
+            },
             {
               "Name": "UseOAuth",
               "DisplayName": "Use OAuth 2.0 Provider",
@@ -61,6 +69,14 @@
               "DefaultValue": "false",
               "Required": true
             },
+            {
+              "Name": "EC2AssumeRole",
+              "DisplayName": "AWS Role to Assume (EC2)",
+              "Type": "String",
+              "DependsOn": "UseEC2AssumeRole",
+              "DefaultValue": null,
+              "Required": false
+            },
             {
               "Name": "OAuthScope",
               "DisplayName": "OAuth Scope",
@@ -101,6 +117,14 @@
               "DefaultValue": null,
               "Required": false
             },
+            {
+              "Name": "ExternalId",
+              "DisplayName": "sts:ExternalId",
+              "Type": "String",
+              "DependsOn": null,
+              "DefaultValue": null,
+              "Required": false
+            },
             {
               "Name": "ServerUsername",
               "DisplayName": "Server Username",