Update usage of AWS SDK in aws_pca UpstreamAuthority plugin to v2 (sp…

…iffe#2766) * Update usage of AWS SDK in aws_pca UpstreamAuthority plugin to v2 This is primarily motivated by trying to consolidate to a single AWS SDK dependency in SPIRE. The max wait time for certificate issuance introduced in this change matches the default behavior used in the v1 SDK. Signed-off-by: Ryan Turner <[email protected]> Co-authored-by: Marcos Yacob <[email protected]>
stevend-uber · Oct 16, 2023 · 8ac253b · 8ac253b
1 parent 0e9fc93
commit 8ac253b
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 20 deletions.
diff --git a/go.mod b/go.mod
@@ -17,12 +17,12 @@ require (
 	github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.11
 	github.com/Microsoft/go-winio v0.6.1
 	github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129
-	github.com/armon/go-metrics v0.3.10
-	github.com/aws/aws-sdk-go v1.44.0
+	github.com/armon/go-metrics v0.4.0
 	github.com/aws/aws-sdk-go-v2 v1.16.7
 	github.com/aws/aws-sdk-go-v2/config v1.15.13
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.8
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8
+	github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.47.2
 	github.com/aws/aws-sdk-go-v2/service/iam v1.18.9
 	github.com/aws/aws-sdk-go-v2/service/kms v1.17.5

diff --git a/go.sum b/go.sum
@@ -527,8 +527,8 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-sdk-go v1.44.0 h1:jwtHuNqfnJxL4DKHBUVUmQlfueQqBW7oXP6yebZR/R0=
-github.com/aws/aws-sdk-go v1.44.0/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
+github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns=
 github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw=
 github.com/aws/aws-sdk-go-v2/config v1.15.13 h1:CJH9zn/Enst7lDiGpoguVt0lZr5HcpNVlRJWbJ6qreo=
@@ -543,6 +543,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Y
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 h1:QquxR7NH3ULBsKC+NoTpilzbKKS+5AELfNREInbhvas=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15/go.mod h1:Tkrthp/0sNBShQQsamR7j/zY4p19tVTAs+nnqhH6R3c=
+github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10 h1:S0Vf3M6Y70WJ6Gb/ZkuGQ9C3ErODIkehSxXOu3bTUVQ=
+github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10/go.mod h1:NU1zsuI+UaQZi+nw7n2pNp42mFX2xcxO6YgbGyEgP14=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.47.2 h1:81hrDgbXHL44WdY6M/fHGXLlv17qTpOFzutXRVDEk3Y=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.47.2/go.mod h1:VoBcwURHnJVCWuXHdqVuG03i2lUlHJ5DTTqDSyCdEcc=
 github.com/aws/aws-sdk-go-v2/service/iam v1.18.9 h1:pVHvEz+KIsTwRKufwvGZr90X/YJ7swVshaBZNY4ESIY=

diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go
@@ -20,9 +20,13 @@ type PCAClient interface {
 }
 
 func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) {
-	var endpointResolver aws.EndpointResolverWithOptions
+	var opts []func(*config.LoadOptions) error
+	if cfg.Region != "" {
+		opts = append(opts, config.WithRegion(cfg.Region))
+	}
+
 	if cfg.Endpoint != "" {
-		endpointResolver = aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
+		endpointResolver := aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
 			if service == acmpca.ServiceID && region == cfg.Region {
 				return aws.Endpoint{
 					PartitionID:   "aws",
@@ -31,28 +35,36 @@ func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) {
 				}, nil
 			}
 
-			return aws.Endpoint{}, fmt.Errorf("unknown endpoint requested")
+			return aws.Endpoint{}, fmt.Errorf("unknown endpoint %s requested for region %s", service, region)
 		})
 		opts = append(opts, config.WithEndpointResolverWithOptions(endpointResolver))
 	}
 
-	var credsProvider aws.CredentialsProvider
-	switch {
-	case cfg.AssumeRoleARN != "":
-		stsClient := sts.NewFromConfig(aws.Config{})
-		credsProvider = stscreds.NewAssumeRoleProvider(stsClient, cfg.AssumeRoleARN)
-	default:
-		awsCfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(cfg.Region), config.WithEndpointResolverWithOptions(endpointResolver))
+	awsCfg, err := config.LoadDefaultConfig(ctx, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	if cfg.AssumeRoleARN != "" {
+		awsCfg, err = newAWSAssumeRoleConfig(ctx, cfg.Region, awsCfg, cfg.AssumeRoleARN)
 		if err != nil {
 			return nil, err
 		}
+	}
+
+	return acmpca.NewFromConfig(awsCfg), nil
+}
 
-		credsProvider = awsCfg.Credentials
+func newAWSAssumeRoleConfig(ctx context.Context, region string, awsConf aws.Config, assumeRoleArn string) (aws.Config, error) {
+	var opts []func(*config.LoadOptions) error
+	if region != "" {
+		opts = append(opts, config.WithRegion(region))
 	}
 
-	return acmpca.NewFromConfig(aws.Config{
-		Region:                      cfg.Region,
-		EndpointResolverWithOptions: endpointResolver,
-		Credentials:                 credsProvider,
-	}), nil
+	stsClient := sts.NewFromConfig(awsConf)
+	opts = append(opts, config.WithCredentialsProvider(aws.NewCredentialsCache(
+		stscreds.NewAssumeRoleProvider(stsClient, assumeRoleArn))),
+	)
+
+	return config.LoadDefaultConfig(ctx, opts...)
 }