aws: Implementation of IAM Roles anywhere support in aws request signing (https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)

[nbaws]

Commit Message: aws: Implementation of IAM Roles anywhere support in aws request signing
Additional Description: Creates an additional x509 credential type and adds custom signing support for IAM Roles Anywhere
Risk Level: Low
Testing: Unit
Docs Changes: doc update and sample config included
Release Notes: changelog update
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #37193 was opened by nbaws.

see: more, trace.

[nbaws]

@suniltheta if you have bandwidth

[suniltheta]

Couldn't go through all the files. Would it be possible to break the PR into multiple smaller chunks?

There are several functions, for example functions inside source/extensions/common/aws/signer_base_impl.cc or pemToAlgorithmSerialExpiration which are tricky to review since I don't have context on how it should be written. If you are able to break down the PR into individual pieces you can link in code comments from the docs what that piece of function is trying to solve based on the guidance given in https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html or other docs page.

I see we have two new high level CredentailsProvider class IAMRolesAnywhereX509CredentialsProvider & IAMRolesAnywhereCredentialsProvider. Would it be possible to add docs comments to explain what each of these classes are doing? If you happen to have a short doc, will help with the getting the context.

[suniltheta]

does this take a default value if not specified?

[nbaws]

If not specified there will be no duration sent, and the service will choose the duration. From https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html:

durationSeconds
The duration, in seconds, of the role session. The value is optional and can range from 900 seconds (15 minutes) up to 43200 seconds (12 hours).

[13ajay]

If durationSeconds is provided in the CreateSession (IAM Roles Anywhere credentialing API) request, the duration of the resulting session will be min(durationSeconds, profileDurationSeconds), where profileDurationSeconds is the durationSeconds value on the profile used in the request. Otherwise, if durationSeconds isn't provided in the request, profileDurationSeconds is used. Note that all of this just determines the value for durationSeconds that IAM Roles Anywhere sends in the AssumeRole request to STS (which the service will do internally). So if the maxSessionDuration on the role doesn't allow for the duration obtained through the described process, you'll receive a 403.

See: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object

[nbaws]

so the proto constraint should enforce the sizing in config, however it's entirely optional for the user to provide here. we should have 403 covered in test cases, but i will double check what is logged so it is possible to troubleshoot it

[nbaws]

Couldn't go through all the files. Would it be possible to break the PR into multiple smaller chunks?

There are several functions, for example functions inside source/extensions/common/aws/signer_base_impl.cc or pemToAlgorithmSerialExpiration which are tricky to review since I don't have context on how it should be written. If you are able to break down the PR into individual pieces you can link in code comments from the docs what that piece of function is trying to solve based on the guidance given in https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html or other docs page.

I see we have two new high level CredentailsProvider class IAMRolesAnywhereX509CredentialsProvider & IAMRolesAnywhereCredentialsProvider. Would it be possible to add docs comments to explain what each of these classes are doing? If you happen to have a short doc, will help with the getting the context.

TY for your look through. I will add additional comments, and also carve off this code into its own source file so it is easier to understand. I will also add design documentation as per your suggestion.

[nbaws]

@suniltheta I've refactored so this has less impact on existing source files. Fundamental code is the same and I've added a small design doc here: #37440
Inline documentation can also be found in source/extensions/common/aws/iam_roles_anywhere_credentials_provider_impl.h

Please let me know if you'd like any more detail here.

[13ajay]

I haven't gone through the entire PR yet, but I have gone through some of it. I'll add comments on the rest when I get around to it.

[13ajay]

If durationSeconds is provided in the CreateSession (IAM Roles Anywhere credentialing API) request, the duration of the resulting session will be min(durationSeconds, profileDurationSeconds), where profileDurationSeconds is the durationSeconds value on the profile used in the request. Otherwise, if durationSeconds isn't provided in the request, profileDurationSeconds is used. Note that all of this just determines the value for durationSeconds that IAM Roles Anywhere sends in the AssumeRole request to STS (which the service will do internally). So if the maxSessionDuration on the role doesn't allow for the duration obtained through the described process, you'll receive a 403.

See: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object

[nbaws]

/retest

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[github-actions]

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!