Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support IAM role based login to AWS connectors #7496

Open
anuruddhal opened this issue Jan 8, 2025 · 7 comments
Open

Support IAM role based login to AWS connectors #7496

anuruddhal opened this issue Jan 8, 2025 · 7 comments

Comments

@anuruddhal
Copy link
Member

Current Limitation

Current AWS connectors only support authentication via the accessKeyId and secretAccessKey.

Suggested Improvement

Support IAM role-based login for AWS Connectors.
https://docs.workato.com/security/data-protection/secrets-management/iam-role-based-authentication-for-aws.html#retrieve-iam-role-arn

Version

No response

@ayeshLK
Copy link
Member

ayeshLK commented Jan 9, 2025

In ballerinax/aws.secretmanager connector following API changes are required to support IAM role credentials on Amazon EC2.

New additions

public type IAMRoleBasedAuthConfig {|
    boolean useIMDSv2 = true;
|};

Rename AuthConfig to StaticAuthConfig

public type StaticAuthConfig record {|
    string accessKeyId;
    string secretAccessKey;
    string sessionToken?;
|};

Update ConnectionConfig

public type ConnectionConfig record {|
    Region region;
    StaticAuthConfig|IAMRoleBasedAuthConfig auth;
|};

Reference:

@daneshk @ThisaruGuruge WDYT ?

@ayeshLK ayeshLK self-assigned this Jan 9, 2025
@daneshk
Copy link
Member

daneshk commented Jan 9, 2025

@ayeshLK Are we allowing the user to set false for useIMDSv2? What happens if the user sets false?

@daneshk
Copy link
Member

daneshk commented Jan 9, 2025

If it is only a flag to enable EC2_IAM_ROLES, we can have the following options

Option 01:

const EC2_IAM_ROLE = "EC2_IAM_ROLE";

public type StaticAuthConfig record {|
    string accessKeyId;
    string secretAccessKey;
    string sessionToken?;
|};

public type ConnectionConfig record {|
    StaticAuthConfig|EC2_IAM_ROLE auth;
|};

Option 02:

const EC2_IAM_ROLE = "EC2_IAM_ROLE";
const STATIC_AUTH = "STATIC_AUTH";

public type StaticAuthConfig record {|
    string accessKeyId;
    string secretAccessKey;
    string sessionToken?;
|};

public type ConnectionConfig record {|
    EC2_IAM_ROLE|STATIC_AUTH credentialProvider = STATIC_AUTH;
    StaticAuthConfig auth?;
|};

Option 02 needs additional validation.

@ayeshLK
Copy link
Member

ayeshLK commented Jan 9, 2025

@ayeshLK Are we allowing the user to set false for useIMDSv2? What happens if the user sets false?

There are two versions of IMDS (v1 and v2) and as per AWS documentation [1] v2 is more secure and they are recommending to use it. But v1 options is also there, and it is enabled by default in the SDK. And as per the documentation, you can enable and disable it using multiple options, like environment variable, JVM system property, or else a configuration file. Hence, having a programatic configuration is optional.

[1] - https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/ec2-iam-roles.html#securely-read-IAM-role_credentials

@ayeshLK
Copy link
Member

ayeshLK commented Jan 9, 2025

If it is only a flag to enable EC2_IAM_ROLES, we can have the following options

Option 01:

const EC2_IAM_ROLE = "EC2_IAM_ROLE";

public type StaticAuthConfig record {|
    string accessKeyId;
    string secretAccessKey;
    string sessionToken?;
|};

public type ConnectionConfig record {|
    StaticAuthConfig|EC2_IAM_ROLE auth;
|};

Option 02:

const EC2_IAM_ROLE = "EC2_IAM_ROLE";
const STATIC_AUTH = "STATIC_AUTH";

public type StaticAuthConfig record {|
    string accessKeyId;
    string secretAccessKey;
    string sessionToken?;
|};

public type ConnectionConfig record {|
    EC2_IAM_ROLE|STATIC_AUTH credentialProvider = STATIC_AUTH;
    StaticAuthConfig auth?;
|};

Option 02 needs additional validation.

If we do not need the option to set the IMDS version programmatically, I would prefer using Option 01.

@daneshk
Copy link
Member

daneshk commented Jan 9, 2025

@ayeshLK Are we allowing the user to set false for useIMDSv2? What happens if the user sets false?

There are two versions of IMDS (v1 and v2) and as per AWS documentation [1] v2 is more secure and they are recommending to use it. But v1 options is also there, and it is enabled by default in the SDK. And as per the documentation, you can enable and disable it using multiple options, like environment variable, JVM system property, or else a configuration file. Hence, having a programatic configuration is optional.

[1] - https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/ec2-iam-roles.html#securely-read-IAM-role_credentials

As per the doc, the Java SDK first tries IMDSv2 to get the IAM role, but if that fails, it tries IMDSv1. We still have an option to disable trying IMDSv1 with other possibilities like env or system property, IMO we don't want to have it configured. WDYT?

@ayeshLK
Copy link
Member

ayeshLK commented Jan 9, 2025

@ayeshLK Are we allowing the user to set false for useIMDSv2? What happens if the user sets false?

There are two versions of IMDS (v1 and v2) and as per AWS documentation [1] v2 is more secure and they are recommending to use it. But v1 options is also there, and it is enabled by default in the SDK. And as per the documentation, you can enable and disable it using multiple options, like environment variable, JVM system property, or else a configuration file. Hence, having a programatic configuration is optional.
[1] - https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/ec2-iam-roles.html#securely-read-IAM-role_credentials

As per the doc, the Java SDK first tries IMDSv2 to get the IAM role, but if that fails, it tries IMDSv1. We still have an option to disable trying IMDSv1 with other possibilities like env or system property, IMO we don't want to have it configured. WDYT?

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants