Brian Hudson
8df06ec2bc
Adds an optional `webIdentityTokenFile` field to `AwsIntegrationAccountConfig` and `AwsIntegrationDefaultAccountConfig`. When set on a per-account config along with a `roleName` and no static credentials, `DefaultAwsCredentialsManager` now retrieves credentials by calling `AssumeRoleWithWebIdentity` directly using the file's contents as the web identity token (via `fromTokenFile`). The token file is re-read on each refresh, so an external process can rotate it in place — the same mechanism EKS IRSA uses, where the kubelet rotates a projected service account token at the path identified by `AWS_WEB_IDENTITY_TOKEN_FILE`. This unlocks multi-account `AssumeRoleWithWebIdentity` for backends running outside AWS (GKE, Cloud Run, Vault sidecars, etc.) without requiring every plugin to construct a custom `AwsCredentialsManager`. Existing call sites and configurations are unaffected — the new path is opt-in via the new optional field. Validator rejects: - `webIdentityTokenFile` combined with static credentials (`accessKeyId`/`secretAccessKey`) on the same account - `webIdentityTokenFile` combined with `profile` on the same account - `webIdentityTokenFile` without a `roleName` (matches the existing precedent for `externalId`/`region`/`partition` without `roleName`) - `webIdentityTokenFile` combined with `externalId` (the STS `AssumeRoleWithWebIdentity` API does not accept an external ID) Same rules apply at the `accountDefaults` level. The `!config.accessKeyId` guard in `getSdkCredentialProvider` is defensive — it protects callers that build an `AwsIntegrationAccountConfig` directly without going through `readAwsIntegrationConfig`. In that case we fall through to the existing static-creds AssumeRole path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Brian Hudson <brian.r.hudson@gmail.com>
134 lines
3.5 KiB
TypeScript
134 lines
3.5 KiB
TypeScript
/*
|
|
* Copyright 2022 The Backstage Authors
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
export interface Config {
|
|
/** Configuration for access to AWS accounts */
|
|
aws?: {
|
|
/**
|
|
* Defaults for retrieving AWS account credentials
|
|
*/
|
|
accountDefaults?: {
|
|
/**
|
|
* The IAM role to assume to retrieve temporary AWS credentials
|
|
*/
|
|
roleName?: string;
|
|
|
|
/**
|
|
* The AWS partition of the IAM role, e.g. "aws", "aws-cn"
|
|
*/
|
|
partition?: string;
|
|
|
|
/**
|
|
* The STS regional endpoint to use when retrieving temporary AWS credentials, e.g. "ap-northeast-1"
|
|
*/
|
|
region?: string;
|
|
|
|
/**
|
|
* The unique identifier needed to assume the role to retrieve temporary AWS credentials
|
|
* @visibility secret
|
|
*/
|
|
externalId?: string;
|
|
|
|
/**
|
|
* Path to a file on disk containing an OIDC web-identity token.
|
|
*/
|
|
webIdentityTokenFile?: string;
|
|
};
|
|
|
|
/**
|
|
* Main account to use for retrieving AWS account credentials
|
|
*/
|
|
mainAccount?: {
|
|
/**
|
|
* The access key ID for a set of static AWS credentials
|
|
* @visibility secret
|
|
*/
|
|
accessKeyId?: string;
|
|
|
|
/**
|
|
* The secret access key for a set of static AWS credentials
|
|
* @visibility secret
|
|
*/
|
|
secretAccessKey?: string;
|
|
|
|
/**
|
|
* The configuration profile from a credentials file at ~/.aws/credentials and
|
|
* a configuration file at ~/.aws/config.
|
|
*/
|
|
profile?: string;
|
|
|
|
/**
|
|
* The STS regional endpoint to use for the main account, e.g. "ap-northeast-1"
|
|
*/
|
|
region?: string;
|
|
};
|
|
|
|
/**
|
|
* Configuration for retrieving AWS accounts credentials
|
|
*/
|
|
accounts?: Array<{
|
|
/**
|
|
* The account ID of the target account that this matches on, e.g. "123456789012"
|
|
*/
|
|
accountId: string;
|
|
|
|
/**
|
|
* The access key ID for a set of static AWS credentials
|
|
* @visibility secret
|
|
*/
|
|
accessKeyId?: string;
|
|
|
|
/**
|
|
* The secret access key for a set of static AWS credentials
|
|
* @visibility secret
|
|
*/
|
|
secretAccessKey?: string;
|
|
|
|
/**
|
|
* The configuration profile from a credentials file at ~/.aws/credentials and
|
|
* a configuration file at ~/.aws/config.
|
|
*/
|
|
profile?: string;
|
|
|
|
/**
|
|
* The IAM role to assume to retrieve temporary AWS credentials
|
|
*/
|
|
roleName?: string;
|
|
|
|
/**
|
|
* The AWS partition of the IAM role, e.g. "aws", "aws-cn"
|
|
*/
|
|
partition?: string;
|
|
|
|
/**
|
|
* The STS regional endpoint to use when retrieving temporary AWS credentials, e.g. "ap-northeast-1"
|
|
*/
|
|
region?: string;
|
|
|
|
/**
|
|
* The unique identifier needed to assume the role to retrieve temporary AWS credentials
|
|
* @visibility secret
|
|
*/
|
|
externalId?: string;
|
|
|
|
/**
|
|
* Path to a file on disk containing an OIDC web-identity token.
|
|
*/
|
|
webIdentityTokenFile?: string;
|
|
}>;
|
|
};
|
|
}
|