mathetake
commented
2 months ago ~Not only the token but also I would like to dynamically configure AWS_ROLE_ARN as well~
edited: modified the title and description accordingly.
Closed mathetake closed 3 weeks ago
mathetake
commented
2 months ago ~Not only the token but also I would like to dynamically configure AWS_ROLE_ARN as well~
edited: modified the title and description accordingly.
ravenblackx
commented
1 month ago cc @suniltheta
mathetake
commented
1 month ago diff --git a/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto b/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
index 5729d7f503..ef23e3b664 100644
--- a/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
+++ b/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
@@ -107,6 +107,24 @@ message AwsRequestSigning {
// query_string: {}
//
QueryString query_string = 7;
+
+ // The credential provider for signing the request. This is optional and if not set,
+ // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`.
+ AwsRequestSigningCredentialProvider credential_provider = 8;
+}
+
+message AwsRequestSigningCredentialProvider {
+ oneof provider {
+ AssumeRoleWithWebIdentity assume_role_with_web_identity = 1;
+ }
+
+ message AssumeRoleWithWebIdentity {
+ // The ARN of the role to assume.
+ string role_arn = 1;
+
+ // The identity token that is provided by the identity provider to assume the role.
+ string identity_token = 2;
+ }
}quickly sketched a rough potential API change - wdyt? @suniltheta
suniltheta
commented
1 month ago yes, sounds good to have the configurable option. cc: @nbaws
Title: aws signing filter: allows dynamic configuration of credentials
Description:
Currently, for AssumeRoleWithWebIdentity, AWS singing filter can only extract WebIdentityToken from the local file pointed by
AWS_WEB_IDENTITY_TOKEN_FILEenvironment variable. Also, the role arn can only be configured viaAWS_ROLE_ARN.I would love to configure them via xds.
The dynamically configured token will be passed at https://github.com/envoyproxy/envoy/blob/0ad67a1d7f8f6352e8c2b7abcce627d8f212c081/source/extensions/common/aws/credentials_provider_impl.cc#L775
where currently the token read from the local file is passed.
The arn will be passed at https://github.com/envoyproxy/envoy/blob/0ad67a1d7f8f6352e8c2b7abcce627d8f212c081/source/extensions/common/aws/credentials_provider_impl.cc#L793
edited: this turned out to be not only about assume role with web identity but about any current configuration in general. So the solution would be to add a general "credential provider" API and allows control plane to provide the credential sources which are currently only configurable via env vars.