xDS gRPC credentials for AWS IAM

[lavignes]

Title: xDS gRPC credentials for AWS IAM

Description:
I work on the AWS App Mesh team. For our public preview we added a core.GrpcService.GoogleGrpc.CallCredentials plugin that uses a slightly modified signature v4 signing process to authenticate xDS requests. Essentially, we map the gRPC POST request into an HTTP 1.1-style request and pass follow the signing algorithm as documented.

We'd like to contribute this plugin into upstream Envoy to allow users to easily make their own builds and get timely feature updates/bugfixes etc.

Our current implementation pulls in a (opt-in) dependency on the core library of AWS C++ SDK, which is probably overkill. It also relies on linking the SDK against openssl and libcurl to perform the necessary HTTP requests to fetch credentials from places like the EC2 instance metadata endpoint.

I was exploring dropping the AWS SDK dependency and passing a context object to the Envoy::Grpc::GoogleGrpcCredentialsFactory with a cluster manager so that we could leverage Envoy's HTTP apis to call to the metadata endpoints, but I'm worried I'm going down the completely wrong path to making REST api calls from within the CredentialsFactory.

Any suggestions? I'm happy to open a PR with the current implementation, but I'm sure a minimalist AWS-auth lib in Envoy could be handy for other extensions that may need to communicate with AWS services. ex: #4526

[mattklein123]

Thanks @lavignes this sounds very useful. @htuch and @lizan are most familiar with the gRPC extensions and can hopefully provide some guidance here.

[dio]

This is interesting since if we go by extending grpc::MetadataCredentialsPlugin we need to find a way of GetMetadata from the EC2 instance metadata endpoint within the google gRPC thread (which requires the opt-in aws-sdk for now? Do we have a way to do that without it?).

[lavignes]

@dio

requires the opt-in aws-sdk for now? Do we have a way to do that without it?

We added the aws-sdk dependency behind a compiler-flag, e.g. --enable=aws_sdk We only really use it to curl the credentials endpoint and sign. Both are pretty trivial to implement without the SDK, granted we can safely make the instance metadata request.

I believe I could dynamically register the metadata endpoint as a remote cluster, thereby allowing us to make GET calls to the endpoint from within the plugin. But don't know if that's the right way to proceed. Especially since I do need to block on that GET request as well.

[htuch]

@lavignes I think you could do it in Envoy::Grpc::GoogleGrpcCredentialsFactory with some changes. It would need to become an asynchronous API, rather than its current synchronous interface, as it will need to wait for HTTP completions before continuing.

If you are executing from within the grpc::MetadataCredentialsPlugin() execution flow, you have a lot more freedom when it comes to threading; those plugins can block as the gRPC core runtime can schedule you on another thread. I don't think you can easily resuse Envoy's cluster manager there, as cluster manager is designed around a notion of a fixed number of worker threads, all of which are owned by Envoy and have updates coordinated in a safe fashion. They can't be used on gRPC threads.

If the gRPC libs don't provide an HTTP fetch method, I would suggest a number of options:

1. Fetch in Envoy::Grpc::GoogleGrpcCredentialsFactory() (with consequent changes to the interfaces for this).
2. Use libcurl or whatever inside grpc::MetadataCredentialsPlugin(). Add this as an external dependency to Envoy.
3. Build your own HTTP client from Envoy components and use it in grpc::MetadataCredentialsPlugin(), with no reuse of the existing notion of clusters or cluster manager or connection pools. You can see an example of how this is done by looking at the health checker code in HealthCheckerImplBase.

I think (3) could be the most Envoy-ish way of approaching this problem, (1) would be next preference. (2) seems like we're bringing in an unnecessary new dep.

[lavignes]

@htuch Thanks! This is exactly what I was looking for. We'll go ahead with implementing (3).

[mattklein123]

@htuch @lavignes one other potential thing to consider would be to not use the Google gRPC client at all. Presumably you are just using it because it has a credentials/auth hook? Envoy's built-in AsyncClient/GrpcAsyncClient I think could be fairly easily extended to support filters, and then you could have an AWS auth filter plugin of some kind (or just a metadata callback which does the right thing). I'm not sure if this is easier or harder than (3) but just throwing it out there.

[htuch]

@mattklein123 yeah, this would be totally reasonable. I guess at some point we will need to extend the Envoy gRPC client to support a wider range of auth models. This would have been a place that it would make sense to try and leverage libraries from Google gRPC perhaps, but I think it needs a more detailed investigation to figure out if these APIs exist today and/or coordinate with gRPC team to expose them for reuse in Envoy gRPC.

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.