aws signing filter: allows dynamic configuration of credentials #36109
Labels
Comments
mathetake
added
enhancement
|
edited: modified the title and description accordingly. |
|
cc @suniltheta |
mathetake
changed the title
diff --git a/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto b/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
index 5729d7f503..ef23e3b664 100644
--- a/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
+++ b/api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
@@ -107,6 +107,24 @@ message AwsRequestSigning {
// query_string: {}
//
QueryString query_string = 7;
+
+ // The credential provider for signing the request. This is optional and if not set,
+ // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`.
+ AwsRequestSigningCredentialProvider credential_provider = 8;
+}
+
+message AwsRequestSigningCredentialProvider {
+ oneof provider {
+ AssumeRoleWithWebIdentity assume_role_with_web_identity = 1;
+ }
+
+ message AssumeRoleWithWebIdentity {
+ // The ARN of the role to assume.
+ string role_arn = 1;
+
+ // The identity token that is provided by the identity provider to assume the role.
+ string identity_token = 2;
+ }
}quickly sketched a rough potential API change - wdyt? @suniltheta |
|
yes, sounds good to have the configurable option. |
mathetake
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Title: aws signing filter: allows dynamic configuration of credentials
Description:
Currently, for AssumeRoleWithWebIdentity, AWS singing filter can only extract WebIdentityToken from the local file pointed by
AWS_WEB_IDENTITY_TOKEN_FILEenvironment variable. Also, the role arn can only be configured viaAWS_ROLE_ARN.I would love to configure them via xds.
The dynamically configured token will be passed at
envoy/source/extensions/common/aws/credentials_provider_impl.cc
Line 775 in 0ad67a1
where currently the token read from the local file is passed.
The arn will be passed at
envoy/source/extensions/common/aws/credentials_provider_impl.cc
Line 793 in 0ad67a1
edited: this turned out to be not only about assume role with web identity but about any current configuration in general. So the solution would be to add a general "credential provider" API and allows control plane to provide the credential sources which are currently only configurable via env vars.
The text was updated successfully, but these errors were encountered: