Is your feature request related to a problem? Please describe.
CockroachCloud currently supports several bring-your-own-resource features like CMEK and log export. In AWS, CC accesses customer-owned resources by AssumeRole-ing a customer-provided cross tenant IAM role (docs). In the trust relationship of this cross-tenant account, we advise the customer to configure their CC organization ID as an ExternalID. This mitigates a security issue in which CC can become a confused deputy.
Though CockroachDB v22.2 supports role chaining, it doesn't support injecting an ExternalIDs along the ASSUME_ROLE chain. This is an issue for encrypted scheduled backups, which access a customer provided KMS by AssumeRole-ing with an ExternalID.
Describe the solution you'd like
We'd like for CRDB to support a way to inject External IDs along an ASSUME_ROLE chain. A sample KMS clause we've discussed is:
kms="aws:///{key}?AUTH=implicit&ASSUME_ROLE=arn:crl-kms-user,arn:customer-owned-user;external_id={org_id}, ..."
This way, both CC and self-hosted customers can specify up to n external IDs for n roles in the chain. Note that this is a feature for only AWS clusters - GCP doesn't support the notion of an external ID.
Describe alternatives you've considered
Another solution is not recommending or supplying an External ID, but this would lead to a security regression in CMEK, a security-conscious feature.
Jira issue: CRDB-20646
Epic CRDB-15037
Is your feature request related to a problem? Please describe.
CockroachCloud currently supports several bring-your-own-resource features like CMEK and log export. In AWS, CC accesses customer-owned resources by
AssumeRole-ing a customer-provided cross tenant IAM role (docs). In the trust relationship of this cross-tenant account, we advise the customer to configure their CC organization ID as anExternalID. This mitigates a security issue in which CC can become a confused deputy.Though CockroachDB v22.2 supports role chaining, it doesn't support injecting an
ExternalIDs along theASSUME_ROLEchain. This is an issue for encrypted scheduled backups, which access a customer provided KMS byAssumeRole-ing with anExternalID.Describe the solution you'd like
We'd like for CRDB to support a way to inject External IDs along an
ASSUME_ROLEchain. A sample KMS clause we've discussed is:This way, both CC and self-hosted customers can specify up to n external IDs for n roles in the chain. Note that this is a feature for only AWS clusters - GCP doesn't support the notion of an external ID.
Describe alternatives you've considered
Another solution is not recommending or supplying an
External ID, but this would lead to a security regression in CMEK, a security-conscious feature.Jira issue: CRDB-20646
Epic CRDB-15037