feat: add IRSA support (#52)

* feat: implement IRSA support for AWS EKS

* refactor: use io instead of deprecated ioutils

* refactor: Small refactoring, get rid of if else statement

* refactor: set 777 to executable to enable k8s users to use the app with uid different than 100

* refactor: set default IRSA client id to aws-signing-proxy

* refactor: extract logic for client creation logic to separate methods

* docs: Adapt Readme for IRSA

Author: theurichde

Dockerfile

@@ -1,14 +1,14 @@
-FROM golang:alpine3.16 AS builder
+FROM docker.io/golang:alpine3.16 AS builder
 COPY . /build
 WORKDIR /build/cmd/aws-signing-proxy
 RUN GOOS=linux go build
 
-FROM alpine:3.16
+FROM docker.io/alpine:3.16
 RUN apk --no-cache add ca-certificates
 WORKDIR /app
 COPY --from=builder /build/cmd/aws-signing-proxy/aws-signing-proxy .
 
-RUN addgroup -S proxy && adduser -S proxy -G proxy && chown -R proxy:proxy /app && chmod 750 /app
+RUN addgroup -S proxy && adduser -S proxy -G proxy && chown -R proxy:proxy /app && chmod 777 /app
 
 USER proxy
 ENTRYPOINT ["/app/aws-signing-proxy"]

README.md

@@ -14,11 +14,16 @@ Supported AWS credentials:
 * Fetching short-lived credentials from AWS via a OAuth2 authorization server
   and [OpenID Connect (OIDC)](https://openid.net/connect/)
   * Additionally, you can fetch these credentials asynchronously
+* Fetching short-lived credentials via AWS [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) (IAM Roles for Service Accounts)
 
 For ready-to-use binaries have a look at [Releases](https://github.com/idealo/aws-signing-proxy/releases).
 
 Additionally, we provide a [Docker image](https://hub.docker.com/r/idealo/aws-signing-proxy) which can be used as a sidecar in Kubernetes.
 
+
+## 🎉 Version 2.1.0 Update 🎉
+* Support for AWS [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
+
 ## 🎉 Version 2.0.0 Update 🎉
 
 * Version 2.0.0 comes 
@@ -78,6 +83,19 @@ ASP_OPEN_ID_CLIENT_SECRET=someverysecurepassword; \
 aws-signing-proxy
 ```
 
+#### With Credentials via IRSA (IAM Roles for Service Accounts)
+
+Execute the binary with either the required environment variables set or via cli flags:
+
+```
+ASP_CREDENTIALS_PROVIDER=irsa; \
+ASP_TARGET_URL=https://someAWSServiceSupportingSignedHttpRequests; \
+ASP_ROLE_ARN=arn:aws:iam::123456242:role/some-access-role; \
+aws-signing-proxy
+```
+
+Make sure, your AWS_WEB_IDENTITY_TOKEN_FILE environment variable is set!
+
 #### Adjusting the Circuit Breaker Behaviour
 
 If you want to adjust the built-in authorization server circuit breaker, you can set the following environment variables according to your needs. 

cmd/aws-signing-proxy/main.go

@@ -4,14 +4,14 @@ import (
 	"flag"
 	"fmt"
 	"github.com/go-co-op/gocron"
+	"github.com/idealo/aws-signing-proxy/pkg/irsa"
 	. "github.com/idealo/aws-signing-proxy/pkg/logging"
 	"github.com/idealo/aws-signing-proxy/pkg/oidc"
 	"github.com/idealo/aws-signing-proxy/pkg/proxy"
 	"github.com/idealo/aws-signing-proxy/pkg/vault"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"go.uber.org/zap"
-	"log"
 	"net/http"
 	"net/url"
 	"os"
@@ -24,15 +24,16 @@ type EnvConfig struct {
 	MgmtPort                    int    `split_words:"true" default:"8081"`
 	Service                     string `default:"es"`
 	CredentialsProvider         string `split_words:"true"`
-	VaultUrl                    string `split_words:"true"` // 'https://vaulthost'
-	VaultAuthToken              string `split_words:"true"` // auth-token for accessing Vault
+	VaultUrl                    string `split_words:"true"`
+	VaultAuthToken              string `split_words:"true"`
 	VaultCredentialsPath        string `split_words:"true"` // path where aws credentials can be generated/retrieved (e.g: 'aws/creds/my-role')
 	OpenIdAuthServerUrl         string `split_words:"true"`
 	OpenIdClientId              string `split_words:"true"`
 	OpenIdClientSecret          string `split_words:"true"`
 	AsyncOpenIdCredentialsFetch bool   `split_words:"true" default:"false"`
 	RoleArn                     string `split_words:"true"`
 	MetricsPath                 string `split_words:"true" default:"/status/metrics"`
+	IrsaClientId                string `split_words:"true" default:"aws-signing-proxy"`
 }
 
 type Flags struct {
@@ -54,6 +55,7 @@ type Flags struct {
 	IdleConnTimeout             *time.Duration
 	DialTimeout                 *time.Duration
 	MetricsPath                 *string
+	IrsaClientId                *string
 }
 
 func main() {
@@ -71,7 +73,7 @@ func main() {
 
 	// Validate target URL
 	if anyFlagEmpty(*flags.Service, *flags.Target) {
-		log.Fatal("required parameter target (e.g. foo.eu-central-1.es.amazonaws.com) OR service (e.g. es) missing!")
+		Logger.Fatal("required parameter target (e.g. foo.eu-central-1.es.amazonaws.com) OR service (e.g. es) missing!")
 	}
 	targetURL, err := url.Parse(*flags.Target)
 	if err != nil {
@@ -87,24 +89,15 @@ func main() {
 
 	var client proxy.ReadClient
 
-	if *flags.CredentialsProvider == "oidc" {
-		if anyFlagEmpty(*flags.OpenIdClientId, *flags.OpenIdClientSecret, *flags.OpenIdAuthServerUrl, *flags.RoleArn) {
-			log.Fatal("Missing some needed flags for OIDC! Either: openIdClientId, openIdClientSecret, openIdAuthServerUrl or roleArn")
-		} else {
-			client = newOidcClient(&flags, client, e)
-		}
-	} else if *flags.CredentialsProvider == "vault" {
-		if anyFlagEmpty(*flags.VaultUrl, *flags.VaultPath, *flags.VaultAuthToken) {
-			Logger.Warn("Disabling vault credentials source due to missing flags/environment variables.")
-		} else {
-			client = vault.NewVaultClient().
-				WithBaseUrl(*flags.VaultUrl).
-				WithToken(*flags.VaultAuthToken).
-				ReadFrom(*flags.VaultPath)
-			Logger.Info("Using Credentials from Vault.", zap.String("vault-url", e.VaultUrl), zap.String("path", e.VaultCredentialsPath))
-		}
-	} else {
-		Logger.Warn("Using static credentials is unsafe. Please consider using some short-living credentials mechanism like Vault or OIDC.")
+	switch *flags.CredentialsProvider {
+	case "irsa":
+		client = newIrsaClient(flags, client, region)
+	case "oidc":
+		client = newOidcClient(flags, client, e)
+	case "vault":
+		client = newVaultClient(flags, client, e)
+	default:
+		Logger.Warn("Using static credentials is unsafe. Please consider using some short-living credentials mechanism like IRSA, OIDC or Vault.")
 	}
 
 	signingProxy := proxy.NewSigningProxy(proxy.Config{
@@ -116,6 +109,7 @@ func main() {
 		DialTimeout:     *flags.DialTimeout,
 		AuthClient:      client,
 	})
+
 	listenString := fmt.Sprintf(":%v", *flags.Port)
 	mgmtPortString := fmt.Sprintf(":%v", *flags.MgmtPort)
 	Logger.Info("Listening", zap.String("port", listenString))
@@ -128,36 +122,31 @@ func main() {
 
 }
 
-func parseFlags(flags *Flags, e EnvConfig) {
-	flags.Target = flag.String("target", e.TargetUrl, "target url to proxy to (e.g. foo.eu-central-1.es.amazonaws.com)")
-	flags.Port = flag.Int("port", e.Port, "Listening port for proxy (e.g. 8080)")
-	flags.MgmtPort = flag.Int("mgmt-port", e.MgmtPort, "Management port for proxy (e.g. 8081)")
-	flags.MetricsPath = flag.String("metrics-path", e.MetricsPath, "")
-	flags.Service = flag.String("service", e.Service, "AWS Service (e.g. es)")
-
-	flags.CredentialsProvider = flag.String("credentials-provider", e.CredentialsProvider, "Either retrieve credentials via OpenID or Vault. Valid values are: oidc, vault")
-
-	// Vault
-	flags.VaultUrl = flag.String("vault-url", e.VaultUrl, "base url of vault (e.g. 'https://foo.vault.invalid')")
-	flags.VaultPath = flag.String("vault-path", e.VaultCredentialsPath, "path for credentials (e.g. '/some-aws-engine/creds/some-aws-role')")
-	flags.VaultAuthToken = flag.String("vault-token", e.VaultAuthToken, "token for authenticating with vault (NOTE: use the environment variable ASP_VAULT_AUTH_TOKEN instead)")
-
-	// openID Connect
-	flags.OpenIdAuthServerUrl = flag.String("openid-auth-server-url", e.OpenIdAuthServerUrl, "The authorization server url")
-	flags.OpenIdClientId = flag.String("openid-client-id", e.OpenIdClientId, "OAuth client id")
-	flags.OpenIdClientSecret = flag.String("openid-client-secret", e.OpenIdClientSecret, "Oauth client secret")
-	flags.AsyncOpenIdCredentialsFetch = flag.Bool("async-open-id-creds-fetch", e.AsyncOpenIdCredentialsFetch, "Fetch AWS Credentials via OIDC asynchronously")
-	flags.RoleArn = flag.String("role-arn", e.RoleArn, "AWS role ARN to assume to")
-
-	flags.Region = flag.String("region", os.Getenv("AWS_REGION"), "AWS region for credentials (e.g. eu-central-1)")
-	flags.FlushInterval = flag.Duration("flush-interval", 0, "non essential: flush interval to flush to the client while copying the response body.")
-	flags.IdleConnTimeout = flag.Duration("idle-conn-timeout", 90*time.Second, "non essential: the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. zero means no limit.")
-	flags.DialTimeout = flag.Duration("dial-timeout", 30*time.Second, "non essential: the maximum amount of time a dial will wait for a connect to complete.")
+func newVaultClient(flags Flags, client proxy.ReadClient, e EnvConfig) proxy.ReadClient {
+	if anyFlagEmpty(*flags.VaultUrl, *flags.VaultPath, *flags.VaultAuthToken) {
+		Logger.Fatal("Missing some needed flags for using Vault! Either: vaultUrl, vaultPath or vaultAuthToken")
+	}
+	Logger.Info("Using Credentials from Vault.", zap.String("vault-url", e.VaultUrl), zap.String("path", e.VaultCredentialsPath))
+	client = vault.NewVaultClient().
+		WithBaseUrl(*flags.VaultUrl).
+		WithToken(*flags.VaultAuthToken).
+		ReadFrom(*flags.VaultPath)
+	return client
+}
 
-	flag.Parse()
+func newIrsaClient(flags Flags, client proxy.ReadClient, region string) proxy.ReadClient {
+	if anyFlagEmpty(*flags.RoleArn) {
+		zap.S().Fatal("Missing needed role-arn flag for IRSA!")
+	}
+	client = irsa.NewIRSAClient(region, *flags.IrsaClientId, *flags.RoleArn)
+	return client
 }
 
-func newOidcClient(flags *Flags, client proxy.ReadClient, e EnvConfig) proxy.ReadClient {
+func newOidcClient(flags Flags, client proxy.ReadClient, e EnvConfig) proxy.ReadClient {
+	if anyFlagEmpty(*flags.OpenIdClientId, *flags.OpenIdClientSecret, *flags.OpenIdAuthServerUrl, *flags.RoleArn) {
+		zap.S().Fatal("Missing some needed flags for OIDC! Either: openIdClientId, openIdClientSecret, openIdAuthServerUrl or roleArn")
+	}
+
 	var oidcClient oidc.ReadClient
 	oidcClient = *oidc.NewOIDCClient(*flags.Region).
 		WithAuthServerUrl(*flags.OpenIdAuthServerUrl).
@@ -186,6 +175,35 @@ func newOidcClient(flags *Flags, client proxy.ReadClient, e EnvConfig) proxy.Rea
 	return client
 }
 
+func parseFlags(flags *Flags, e EnvConfig) {
+	flags.Target = flag.String("target", e.TargetUrl, "target url to proxy to (e.g. foo.eu-central-1.es.amazonaws.com)")
+	flags.Port = flag.Int("port", e.Port, "Listening port for proxy (e.g. 8080)")
+	flags.MgmtPort = flag.Int("mgmt-port", e.MgmtPort, "Management port for proxy (e.g. 8081)")
+	flags.MetricsPath = flag.String("metrics-path", e.MetricsPath, "")
+	flags.Service = flag.String("service", e.Service, "AWS Service (e.g. es)")
+
+	flags.CredentialsProvider = flag.String("credentials-provider", e.CredentialsProvider, "Either retrieve credentials via IRSA, OpenID Connect or Vault. Valid values are: irsa, oidc, vault. Leave empty if you would like to use static credentials.")
+
+	flags.VaultUrl = flag.String("vault-url", e.VaultUrl, "base url of vault (e.g. 'https://foo.vault.invalid')")
+	flags.VaultPath = flag.String("vault-path", e.VaultCredentialsPath, "path for credentials (e.g. '/some-aws-engine/creds/some-aws-role')")
+	flags.VaultAuthToken = flag.String("vault-token", e.VaultAuthToken, "token for authenticating with vault (NOTE: use the environment variable ASP_VAULT_AUTH_TOKEN instead)")
+
+	flags.OpenIdAuthServerUrl = flag.String("openid-auth-server-url", e.OpenIdAuthServerUrl, "The authorization server url")
+	flags.OpenIdClientId = flag.String("openid-client-id", e.OpenIdClientId, "OAuth client id")
+	flags.OpenIdClientSecret = flag.String("openid-client-secret", e.OpenIdClientSecret, "Oauth client secret")
+	flags.AsyncOpenIdCredentialsFetch = flag.Bool("async-open-id-creds-fetch", e.AsyncOpenIdCredentialsFetch, "Fetch AWS Credentials via OIDC asynchronously")
+	flags.RoleArn = flag.String("role-arn", e.RoleArn, "AWS role ARN to assume to")
+
+	flags.IrsaClientId = flag.String("irsa-client-id", e.IrsaClientId, "IRSA client id")
+
+	flags.Region = flag.String("region", os.Getenv("AWS_REGION"), "AWS region for credentials (e.g. eu-central-1)")
+	flags.FlushInterval = flag.Duration("flush-interval", 0, "non essential: flush interval to flush to the client while copying the response body.")
+	flags.IdleConnTimeout = flag.Duration("idle-conn-timeout", 90*time.Second, "non essential: the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. zero means no limit.")
+	flags.DialTimeout = flag.Duration("dial-timeout", 30*time.Second, "non essential: the maximum amount of time a dial will wait for a connect to complete.")
+
+	flag.Parse()
+}
+
 func provideMgmtEndpoint(mgmtPort string, metricsPath string) {
 
 	http.HandleFunc("/status/health", func(w http.ResponseWriter, request *http.Request) {
@@ -196,7 +214,7 @@ func provideMgmtEndpoint(mgmtPort string, metricsPath string) {
 
 	http.Handle(metricsPath, promhttp.Handler())
 
-	log.Fatal(http.ListenAndServe(mgmtPort, nil))
+	zap.S().Fatal(http.ListenAndServe(mgmtPort, nil))
 }
 
 func anyFlagEmpty(flags ...string) bool {

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/aws/aws-sdk-go v1.44.152
 	github.com/go-co-op/gocron v1.18.0
 	github.com/kelseyhightower/envconfig v1.3.1-0.20170420212316-202b52d1dba0
+	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.14.0
 	github.com/sony/gobreaker v0.5.0
 	github.com/stretchr/testify v1.8.1

pkg/irsa/irsa.go

@@ -0,0 +1,99 @@
+package irsa
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/sts"
+	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	. "github.com/idealo/aws-signing-proxy/pkg/logging"
+	"github.com/idealo/aws-signing-proxy/pkg/proxy"
+	"go.uber.org/zap"
+	"os"
+	"time"
+)
+
+var cachedCredentials *sts.Credentials
+
+type ReadClient struct {
+	stsClient stsiface.STSAPI
+	clientId  string
+	roleArn   string
+}
+
+func NewIRSAClient(region string, clientId string, roleArn string) *ReadClient {
+	return &ReadClient{
+		stsClient: InitClient(region),
+		clientId:  clientId,
+		roleArn:   roleArn,
+	}
+}
+
+func (c *ReadClient) WithRoleArn(roleArn string) *ReadClient {
+	c.roleArn = roleArn
+	return c
+}
+
+func (c *ReadClient) retrieveShortLivingCredentialsFromAwsSts(roleArn string, webToken string, roleSessionName string) *sts.Credentials {
+	identity, err := c.stsClient.AssumeRoleWithWebIdentity(&sts.AssumeRoleWithWebIdentityInput{
+		RoleArn:          &roleArn,
+		RoleSessionName:  &roleSessionName,
+		WebIdentityToken: &webToken,
+	})
+
+	if err != nil {
+		Logger.Error("Something went wrong with the STS Client", zap.Error(err))
+	}
+
+	return identity.Credentials
+}
+
+func InitClient(region string) stsiface.STSAPI {
+	sess := session.Must(session.NewSession(&aws.Config{
+		Region:      aws.String(region),
+		Credentials: credentials.AnonymousCredentials},
+	))
+
+	return sts.New(sess, aws.NewConfig().WithRegion(region))
+}
+
+func (c *ReadClient) RefreshCredentials(result interface{}) error {
+	refreshedCredentials := result.(*proxy.RefreshedCredentials)
+
+	err := RetrieveCredentials(c)
+	if err != nil {
+		return err
+	}
+	stsCredentials := cachedCredentials
+
+	refreshedCredentials.ExpiresAt = *stsCredentials.Expiration
+	refreshedCredentials.Data.AccessKey = *stsCredentials.AccessKeyId
+	refreshedCredentials.Data.SecretKey = *stsCredentials.SecretAccessKey
+	refreshedCredentials.Data.SecurityToken = *stsCredentials.SessionToken
+
+	return nil
+}
+
+func RetrieveCredentials(c *ReadClient) error {
+	if cachedCredentials == nil || isExpired(cachedCredentials.Expiration) {
+
+		tokenFile, ok := os.LookupEnv("AWS_WEB_IDENTITY_TOKEN_FILE")
+		if !ok {
+			zap.S().Fatalf("Environment variable 'AWS_WEB_IDENTITY_TOKEN_FILE' is not set!")
+		}
+
+		bytes, err := os.ReadFile(tokenFile)
+		if err != nil {
+			return err
+		}
+
+		cachedCredentials = c.retrieveShortLivingCredentialsFromAwsSts(c.roleArn, string(bytes), c.clientId)
+		Logger.Info("Refreshed short living credentials.")
+	}
+	return nil
+}
+
+func isExpired(expiration *time.Time) bool {
+	// subtract 5 minutes from the actual expiration to retrieve every 55 minutes new credentials
+	return time.Now().After(expiration.Add(-time.Minute * 5))
+}