Merge pull request #21 from Keyfactor/release-2.0

Release 2.0.2

Author: doebrowsk

CHANGELOG.md

@@ -1,3 +1,6 @@
+2.0.2
+* Return parity to original AWS store type organization - differentiating based on AWS Account ID
+
 2.0.1
 * Remove logging of sensitive data
 * Update Private Key to required for certificates in this store in docs and store definition

README.md

@@ -131,7 +131,7 @@ Options for authenticating:
 2. IAM User Auth configuration (refer to `AwsCerManA` below)
 3. EC2 Role Auth or other default method supported by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html)
 
-As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__.
+As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. Additionally, the EC2 credentials do not use the AWS Account ID specified in the certificate store and only use the single account/role indicated by the EC2 settings.
 1. Assign or note the existing IAM Role assigned to the EC2 instance running
 2. Make sure that role has access to ACM
 3. When configuring the `AWS-ACM` store, do not select either IAM or OAuth methods in the store's settings. This will make it use the AWS SDK to lookup EC2 credentials.
@@ -178,8 +178,8 @@ UseIAM | Use IAM User Auth | boolean | False | N/A | Yes | A switch to enable th
 OAuthScope | OAuth Scope | string | N/A | Use OAuth 2.0 Provider | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta
 OAuthGrantType | OAuth Grant Type | string | client_credentials | Use OAuth 2.0 Provider | No | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. In Okta this is `client_credentials`
 OAuthUrl | OAuth URL | string | https://***/oauth2/default/v1/token | Use OAuth 2.0 Provider | No | The URL to request a token from your OAuth Provider. Fill this out with the correct URL.
-OAuthAccountId | OAuth AWS Account Id | string | N/A | Use OAuth 2.0 Provider | No | The AWS account ID to use after getting an OAuth token to assume the associated Role.
-IamAccountId | IAM AWS Account ID | string | N/A | Use IAM User Auth | No | The AWS account ID to use when assuming a role as the IAM User.
+OAuthAssumeRole | AWS Role to Assume (OAuth) | string | N/A | Use OAuth 2.0 Provider | No | The AWS Role to assume after getting an OAuth token.
+IAMAssumeRole | AWS Role to Assume (IAM) | string | N/A | Use IAM User Auth | No | The AWS Role to assume as the IAM User.
 
 
 **Entry Parameters:**
@@ -200,7 +200,7 @@ Cert Store Settings
 ===============
 | Name | Value | Description |
 | ----------- | ----------- | ----------- |
-| Client Machine | AWS Role | This is the AWS Role that will be used for access. This role will be assumed and its permissions will apply to all actions taken by the orchestrator. |
+| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. Note: this does not have any effect on EC2 inferred credentials, which are limited to a specific role/account. |
 | User Name | See Below | See Below |
 | Password | See Below | See Below |
 | Store Path | us-east-1,us-east-2,...,etc. | The AWS Region, or a comma-separated list of multiple regions, the store will operate in. |
@@ -209,8 +209,8 @@ Cert Store Settings
 | OAuth Scope | Look in OAuth provider for Scope | Displayed and required when using OAuth 2.0 Provider. OAuth scope setup in the Okta Application or other OAuth provider |
 | OAuth Grant Type | client_credentials | Displayed and required when using OAuth 2.0 Provider. This may vary depending on Okta setup but will most likely be this value. |
 | OAuth URL | https://***/oauth2/default/v1/token | Displayed and required when using OAuth 2.0 Provider. URL to request token from OAuth provider. Example given is for an Okta token. |
-| OAuth AWS Account Id | AWS account ID number | Displayed and required when using OAuth 2.0 Provider. This account ID is used in conjunction with the OAuth token to assume a role (set in the Client Machine parameter) |
-| IAM AWS Account Id | AWS account ID number | Displayed and required when using IAM User Auth. This account ID is used to assume a role (set in the Client Machine parameter) |
+| AWS Role to Assume (OAuth) | AWS Role | Displayed and required when using OAuth 2.0 Provider. This Role is assumed after getting an OAuth token. |
+| AWS Role to Assume (IAM) | AWS Role | Displayed and required when using IAM User Auth. This Role is assumed with the IAM credentials. |
 
 The User Name and Password fields are used differently based on the auth method you intend to use. The three options for auth are IAM User, OAuth, or default auth.
 

aws-orchestrator-core/AuthUtilities.cs

@@ -45,20 +45,26 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration
 		{
             _logger.MethodEntry();
             _logger.LogDebug("Selecting credential method.");
-			string awsRole = certStore.ClientMachine;
-            _logger.LogDebug($"Using AWS Role - {awsRole} - from the ClientMachine field");
+
+            string awsAccountId = certStore.ClientMachine;
+
             if (customFields.UseIAM)
             {
                 _logger.LogInformation("Using IAM User authentication method for creating AWS Credentials.");
                 var accessKey = ResolvePamField(jobConfiguration.ServerUsername, "ServerUsername (IAM AccessKey)");
                 var accessSecret = ResolvePamField(jobConfiguration.ServerPassword, "ServerPassword (IAM AccessSecret)");
 
+                string awsRole = customFields.IAMAssumeRole;
+                _logger.LogDebug($"Assuming AWS Role - {awsRole}");
+
+                _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field");
+
                 _logger.LogTrace("Attempting to authenticate with AWS using IAM access credentials.");
-                return AwsAuthenticate(accessKey, accessSecret, customFields.IamAccountId, awsRole);
+                return AwsAuthenticate(accessKey, accessSecret, awsAccountId, awsRole);
             }
             else if (customFields.UseOAuth)
             {
-                _logger.LogInformation("Using OAuth authenticaiton method for creating AWS Credentials.");
+                _logger.LogInformation("Using OAuth authentication method for creating AWS Credentials.");
                 var clientId = ResolvePamField(jobConfiguration.ServerUsername, "ServerUsername (OAuth Client ID)");
                 var clientSecret = ResolvePamField(jobConfiguration.ServerPassword, "ServerPassword (OAuth Client Secret)");
                 OAuthParameters oauthParams = new OAuthParameters()
@@ -74,12 +80,18 @@ public Credentials GetCredentials(ACMCustomFields customFields, JobConfiguration
                 OAuthResponse authResponse = OAuthAuthenticate(oauthParams);
                 _logger.LogTrace("Received OAuth response.");
 
+                string awsRole = customFields.OAuthAssumeRole;
+                _logger.LogDebug($"Assuming AWS Role - {awsRole}");
+
+                _logger.LogDebug($"Using AWS Account ID - {awsAccountId} - from the ClientMachine field");
+
                 _logger.LogTrace("Attempting to authenticate with AWS using OAuth response.");
-                return AwsAuthenticateWithWebIdentity(authResponse, customFields.OAuthAccountId, awsRole);
+                return AwsAuthenticateWithWebIdentity(authResponse, awsAccountId, awsRole);
             }
             else // use default SDK credential resolution
             {
                 _logger.LogInformation("Using default AWS SDK credential resolution for creating AWS Credentials.");
+                _logger.LogDebug($"Default Role and Account ID will be used. Specified AWS Account ID - {awsAccountId} - will not be used.");
                 return null;
             }
         }

aws-orchestrator-core/CustomFields.cs

@@ -57,8 +57,8 @@ public class ACMCustomFields
 		[DefaultValue(false)]
 		public bool UseIAM { get; set; }
 
-		[JsonProperty("OAuthAccountId")]
-		public string OAuthAccountId { get; set; }
+		[JsonProperty("OAuthAssumeRole")]
+		public string OAuthAssumeRole { get; set; }
 
 		[JsonProperty("OAuthScope")]
 		public string OAuthScope { get; set; }
@@ -69,7 +69,7 @@ public class ACMCustomFields
 		[JsonProperty("OAuthUrl")]
 		public string OAuthUrl { get; set; }
 
-		[JsonProperty("IamAccountId")]
-		public string IamAccountId { get; set; }
+		[JsonProperty("IAMAssumeRole")]
+		public string IAMAssumeRole { get; set; }
 	}
 }

integration-manifest.json

@@ -86,16 +86,16 @@
               "Required": false
             },
             {
-              "Name": "IamAccountId",
-              "DisplayName": "IAM AWS Account ID",
+              "Name": "IAMAssumeRole",
+              "DisplayName": "AWS Role to Assume (IAM)",
               "Type": "String",
               "DependsOn": "UseIAM",
               "DefaultValue": null,
               "Required": false
             },
             {
-              "Name": "OAuthAccountId",
-              "DisplayName": "OAuth AWS Account ID",
+              "Name": "OAuthAssumeRole",
+              "DisplayName": "AWS Role to Assume (OAuth)",
               "Type": "String",
               "DependsOn": "UseOAuth",
               "DefaultValue": null,

readme_source.md

@@ -32,7 +32,7 @@ Options for authenticating:
 2. IAM User Auth configuration (refer to `AwsCerManA` below)
 3. EC2 Role Auth or other default method supported by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html)
 
-As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__.
+As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. Additionally, the EC2 credentials do not use the AWS Account ID specified in the certificate store and only use the single account/role indicated by the EC2 settings.
 1. Assign or note the existing IAM Role assigned to the EC2 instance running
 2. Make sure that role has access to ACM
 3. When configuring the `AWS-ACM` store, do not select either IAM or OAuth methods in the store's settings. This will make it use the AWS SDK to lookup EC2 credentials.
@@ -79,8 +79,8 @@ UseIAM | Use IAM User Auth | boolean | False | N/A | Yes | A switch to enable th
 OAuthScope | OAuth Scope | string | N/A | Use OAuth 2.0 Provider | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta
 OAuthGrantType | OAuth Grant Type | string | client_credentials | Use OAuth 2.0 Provider | No | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. In Okta this is `client_credentials`
 OAuthUrl | OAuth URL | string | https://***/oauth2/default/v1/token | Use OAuth 2.0 Provider | No | The URL to request a token from your OAuth Provider. Fill this out with the correct URL.
-OAuthAccountId | OAuth AWS Account Id | string | N/A | Use OAuth 2.0 Provider | No | The AWS account ID to use after getting an OAuth token to assume the associated Role.
-IamAccountId | IAM AWS Account ID | string | N/A | Use IAM User Auth | No | The AWS account ID to use when assuming a role as the IAM User.
+OAuthAssumeRole | AWS Role to Assume (OAuth) | string | N/A | Use OAuth 2.0 Provider | No | The AWS Role to assume after getting an OAuth token.
+IAMAssumeRole | AWS Role to Assume (IAM) | string | N/A | Use IAM User Auth | No | The AWS Role to assume as the IAM User.
 
 
 **Entry Parameters:**
@@ -101,7 +101,7 @@ Cert Store Settings
 ===============
 | Name | Value | Description |
 | ----------- | ----------- | ----------- |
-| Client Machine | AWS Role | This is the AWS Role that will be used for access. This role will be assumed and its permissions will apply to all actions taken by the orchestrator. |
+| Client Machine | AWS Account ID | This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. Note: this does not have any effect on EC2 inferred credentials, which are limited to a specific role/account. |
 | User Name | See Below | See Below |
 | Password | See Below | See Below |
 | Store Path | us-east-1,us-east-2,...,etc. | The AWS Region, or a comma-separated list of multiple regions, the store will operate in. |
@@ -110,8 +110,8 @@ Cert Store Settings
 | OAuth Scope | Look in OAuth provider for Scope | Displayed and required when using OAuth 2.0 Provider. OAuth scope setup in the Okta Application or other OAuth provider |
 | OAuth Grant Type | client_credentials | Displayed and required when using OAuth 2.0 Provider. This may vary depending on Okta setup but will most likely be this value. |
 | OAuth URL | https://***/oauth2/default/v1/token | Displayed and required when using OAuth 2.0 Provider. URL to request token from OAuth provider. Example given is for an Okta token. |
-| OAuth AWS Account Id | AWS account ID number | Displayed and required when using OAuth 2.0 Provider. This account ID is used in conjunction with the OAuth token to assume a role (set in the Client Machine parameter) |
-| IAM AWS Account Id | AWS account ID number | Displayed and required when using IAM User Auth. This account ID is used to assume a role (set in the Client Machine parameter) |
+| AWS Role to Assume (OAuth) | AWS Role | Displayed and required when using OAuth 2.0 Provider. This Role is assumed after getting an OAuth token. |
+| AWS Role to Assume (IAM) | AWS Role | Displayed and required when using IAM User Auth. This Role is assumed with the IAM credentials. |
 
 The User Name and Password fields are used differently based on the auth method you intend to use. The three options for auth are IAM User, OAuth, or default auth.