Add role assumption for Issuer

Signed-off-by: Egor Novikov <[email protected]>
Signed-off-by: Brady Siegel <[email protected]>

Author: Egor Novikov

charts/aws-pca-issuer/crds/awspca.cert-manager.io_awspcaclusterissuers.yaml

@@ -46,6 +46,9 @@ spec:
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
+              role:
+                description: Specifies the ARN of role to assume when issuing certificates.
+                type: string
               secretRef:
                 description: Needs to be specified if you want to authorize with AWS
                   using an access and secret key

charts/aws-pca-issuer/crds/awspca.cert-manager.io_awspcaissuers.yaml

@@ -45,6 +45,9 @@ spec:
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
+              role:
+                description: Specifies the ARN of role to assume when issuing certificates.
+                type: string
               secretRef:
                 description: Needs to be specified if you want to authorize with AWS
                   using an access and secret key

config/crd/bases/awspca.cert-manager.io_awspcaclusterissuers.yaml

@@ -46,6 +46,9 @@ spec:
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
+              role:
+                description: Specifies the ARN of role to assume when issuing certificates.
+                type: string
               secretRef:
                 description: Needs to be specified if you want to authorize with AWS
                   using an access and secret key

config/crd/bases/awspca.cert-manager.io_awspcaissuers.yaml

@@ -45,6 +45,9 @@ spec:
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
+              role:
+                description: Specifies the ARN of role to assume when issuing certificates.
+                type: string
               secretRef:
                 description: Needs to be specified if you want to authorize with AWS
                   using an access and secret key

config/examples/cluster-issuer-with-assumption-role/issuer.yaml

@@ -0,0 +1,8 @@
+apiVersion: awspca.cert-manager.io/v1beta1
+kind: AWSPCAClusterIssuer
+metadata:
+  name: example
+spec:
+  arn: <some-pca-arn>
+  role: <some-role-arn>
+  region: us-west-2

e2e/aws_helpers.go

@@ -296,7 +296,7 @@ func getAccountID(ctx context.Context, cfg aws.Config) string {
 	return *callerID.Account
 }
 
-func getPartition(ctx context.Context, cfg aws.Config) string {
+func getCallerIdentity(ctx context.Context, cfg aws.Config) *sts.GetCallerIdentityOutput {
 	stsClient := sts.NewFromConfig(cfg)
 
 	callerID, callerErr := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
@@ -305,6 +305,12 @@ func getPartition(ctx context.Context, cfg aws.Config) string {
 		panic(callerErr.Error())
 	}
 
+	return callerID
+}
+
+func getPartition(ctx context.Context, cfg aws.Config) string {
+	callerID := getCallerIdentity(ctx, cfg)
+
 	parsedArn, parseErr := arn.Parse(*callerID.Arn)
 	if parseErr != nil {
 		return "aws"

e2e/awspcaissuer_test.go

@@ -5,11 +5,13 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"regexp"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/cert-manager/aws-privateca-issuer/pkg/api/v1beta1"
 	clientV1beta1 "github.com/cert-manager/aws-privateca-issuer/pkg/clientset/v1beta1"
@@ -31,7 +33,7 @@ type TestContext struct {
 	xaCfg     aws.Config
 	caArns    map[string]string
 
-	region, partition, accessKey, secretKey, endEntityResourceShareArn, subordinateCaResourceShareArn, userName, policyArn string
+	region, partition, accessKey, secretKey, endEntityResourceShareArn, subordinateCaResourceShareArn, userName, policyArn, accountId, domain string
 }
 
 // These are variables specific to each test
@@ -111,7 +113,23 @@ func InitializeTestSuite(suiteCtx *godog.TestSuiteContext) {
 			panic(cfgErr.Error())
 		}
 
-		testContext.partition = getPartition(ctx, cfg)
+		callerID := getCallerIdentity(ctx, cfg)
+		testContext.accountId = *callerID.Account
+
+		parsedArn, parseErr := arn.Parse(*callerID.Arn)
+		if parseErr != nil {
+			panic("Failed to parse caller identity ARN: " + parseErr.Error())
+		}
+
+		testContext.partition = parsedArn.Partition
+
+		// Match the complete resource: assumed-role/RoleName-DOMAIN-region/i-xxxxxxxxx
+		re := regexp.MustCompile(`^assumed-role/[^-]+-([^-]+)-[^/]+/i-[a-f0-9]+$`)
+		matches := re.FindStringSubmatch(parsedArn.Resource)
+		if len(matches) < 2 {
+			panic("Failed to extract domain from caller identity resource: " + parsedArn.Resource)
+		}
+		testContext.domain = matches[1]
 
 		testContext.iclient, err = clientV1beta1.NewForConfig(clientConfig)
 
@@ -217,8 +235,10 @@ func InitializeScenario(ctx *godog.ScenarioContext) {
 	ctx.Step(`^I create a namespace`, issuerContext.createNamespace)
 	ctx.Step(`^I create a Secret with keys ([A-Za-z_]+) and ([A-Za-z_]+) for my AWS credentials$`, issuerContext.createSecret)
 	ctx.Step(`^I create an AWSPCAClusterIssuer using a (RSA|ECDSA|XA) CA$`, issuerContext.createClusterIssuer)
+	ctx.Step(`^I create an AWSPCAClusterIssuer with role assumption$`, issuerContext.createClusterIssuerWithRole)
 	ctx.Step(`^I delete the AWSPCAClusterIssuer$`, issuerContext.deleteClusterIssuer)
 	ctx.Step(`^I create an AWSPCAIssuer using a (RSA|ECDSA|XA) CA$`, issuerContext.createNamespaceIssuer)
+	ctx.Step(`^I create an AWSPCAIssuer with role assumption$`, issuerContext.createNamespaceIssuerWithRole)
 	ctx.Step(`^I issue a (SHORT_VALIDITY|RSA|ECDSA|CA) certificate$`, issuerContext.issueCertificate)
 	ctx.Step(`^the certificate should be issued successfully$`, issuerContext.verifyCertificateIssued)
 	ctx.Step(`^the certificate request has been created$`, issuerContext.verifyCertificateRequestIsCreated)

e2e/clusterissuer_steps.go

@@ -13,13 +13,22 @@ import (
 )
 
 func (issCtx *IssuerContext) createClusterIssuer(ctx context.Context, caType string) error {
+	return issCtx.createClusterIssuerWithSpec(ctx, caType, getIssuerSpec(caType))
+}
+
+func (issCtx *IssuerContext) createClusterIssuerWithRole(ctx context.Context) error {
+	return issCtx.createClusterIssuerWithSpec(ctx, "RSA", getIssuerSpecWithRole("RSA"))
+}
+
+func (issCtx *IssuerContext) createClusterIssuerWithSpec(ctx context.Context, caType string, spec v1beta1.AWSPCAIssuerSpec) error {
 	if issCtx.issuerName == "" {
 		issCtx.issuerName = uuid.New().String() + "--cluster-issuer--" + strings.ToLower(caType)
 	}
+
 	issCtx.issuerType = "AWSPCAClusterIssuer"
 	issSpec := v1beta1.AWSPCAClusterIssuer{
 		ObjectMeta: metav1.ObjectMeta{Name: issCtx.issuerName},
-		Spec:       getIssuerSpec(caType),
+		Spec:       spec,
 	}
 
 	if issCtx.secretRef != (v1beta1.AWSCredentialsSecretReference{}) {

e2e/common_steps.go

@@ -34,6 +34,12 @@ func getIssuerSpec(caType string) v1beta1.AWSPCAIssuerSpec {
 	}
 }
 
+func getIssuerSpecWithRole(caType string) v1beta1.AWSPCAIssuerSpec {
+	spec := getIssuerSpec(caType)
+	spec.Role = fmt.Sprintf("arn:%s:iam::%s:role/IssuerTestRole-%s-%s", testContext.partition, testContext.accountId, testContext.domain, testContext.region)
+	return spec
+}
+
 func (issCtx *IssuerContext) createNamespace(ctx context.Context) error {
 	namespaceName := "pca-issuer-ns-" + uuid.New().String()
 	namespace := v1.Namespace{

e2e/features/role_assumption.feature

@@ -0,0 +1,15 @@
+@RoleAssumption
+Feature: Issue certificates using role assumption
+  As a user of the aws-privateca-issuer
+  I need to be able to issue certificates using role assumption
+
+  Scenario: Issue a certificate with a ClusterIssuer using role assumption
+    Given I create an AWSPCAClusterIssuer with role assumption
+    When I issue a RSA certificate
+    Then the certificate should be issued successfully
+
+  Scenario: Issue a certificate with a namespaced Issuer using role assumption
+    Given I create a namespace
+    And I create an AWSPCAIssuer with role assumption
+    When I issue a RSA certificate
+    Then the certificate should be issued successfully