feat(eks): add support for cross account login

Signed-off-by: Casale, Robert <[email protected]>

Author: Gearheads

pkg/plugins/discovery/aws/provider.go

@@ -71,10 +71,11 @@ func New(input *provider.PluginCreationInput) (discovery.Provider, error) {
 
 type eksClusteProviderConfig struct {
 	common.ClusterProviderConfig
-	Region       *string `json:"region"`
-	RegionFilter *string `json:"region-filter"`
-	RoleArn      *string `json:"role-arn"`
-	RoleFilter   *string `json:"role-filter"`
+	AssumeRoleARN *string `json:"assume-role-arn"`
+	Region        *string `json:"region"`
+	RegionFilter  *string `json:"region-filter"`
+	RoleArn       *string `json:"role-arn"`
+	RoleFilter    *string `json:"role-filter"`
 }
 
 // EKSClusterProvider will discover EKS clusters in AWS
@@ -129,8 +130,9 @@ func ConfigurationItems(scopeTo string) (config.ConfigurationSet, error) {
 	cs := aws.SharedConfig()
 
 	cs.String("aws-shared-credentials-file", os.Getenv("AWS_SHARED_CREDENTIALS_FILE"), "Location to store AWS credentials file")
+	cs.String("assume-role-arn", "", "ARN of the AWS role to be assumed")
 	cs.String("region-filter", "", "A regex filter to apply to the AWS regions list, e.g. '^us-|^eu-' will only show US and eu regions") //nolint: errcheck
-	cs.String("role-arn", "", "ARN of the AWS role to be assumed")                                                                       //nolint: errcheck
+	cs.String("role-arn", "", "ARN of the AWS role to be logged in with")                                                                //nolint: errcheck
 	cs.String("role-filter", "", "A filter to apply to the roles list, e.g. 'EKS' will only show roles that contain EKS in the name")    //nolint: errcheck
 
 	return cs, nil

pkg/plugins/identity/saml/saml.go

@@ -184,6 +184,7 @@ func (p *samlIdentityProvider) bindAndValidateConfig(cs config.ConfigurationSet)
 
 func (p *samlIdentityProvider) createAccount(cs config.ConfigurationSet) (*cfg.IDPAccount, error) {
 	account := &cfg.IDPAccount{
+		Username:        p.config.Username,
 		URL:             p.config.IdpEndpoint,
 		Provider:        p.config.IdpProvider,
 		MFA:             "Auto",

pkg/plugins/identity/saml/sp/aws/provider.go

@@ -27,6 +27,7 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -76,6 +77,11 @@ func (p *ServiceProvider) PopulateAccount(account *cfg.IDPAccount, cfg config.Co
 	account.AmazonWebservicesURN = "urn:amazon:webservices"
 	account.Profile = "kconnect-saml-provider"
 
+	assumeRoleCfg := cfg.Get("assume-role-arn")
+	if assumeRoleCfg != nil && assumeRoleCfg.Value.(string) != "" {
+		account.AssumeRoleARN = assumeRoleCfg.Value.(string)
+	}
+
 	regionCfg := cfg.Get("region")
 	if regionCfg == nil || regionCfg.Value.(string) == "" {
 		return ErrNoRegion
@@ -131,6 +137,18 @@ func (p *ServiceProvider) ProcessAssertions(account *cfg.IDPAccount, samlAsserti
 		return nil, fmt.Errorf("logging into AWS using STS and SAMLAssertion: %w", err)
 	}
 
+	// switch AWS IAM role
+	if account.AssumeRoleARN != "" {
+		awsCreds, err = p.assumeRoleARN(account, awsCreds)
+		if err != nil {
+			return nil, fmt.Errorf("assuming role in AWS: %w", err)
+		}
+		if err := cfg.SetValue("assume-role-arn", account.AssumeRoleARN); err != nil {
+			return nil, fmt.Errorf("setting assume-role-arn config value: %w", err)
+		}
+		p.logger.Debugw("role assumed", "assume-role", account.AssumeRoleARN)
+	}
+
 	// Create profile based on the AWS creds
 	identifier, err := kaws.CreateIDFromCreds(awsCreds)
 	if err != nil {
@@ -301,6 +319,40 @@ func (p *ServiceProvider) loginToStsUsingRole(account *cfg.IDPAccount, role *sam
 	}, nil
 }
 
+func (p *ServiceProvider) assumeRoleARN(account *cfg.IDPAccount, awsCreds *awsconfig.AWSCredentials) (*awsconfig.AWSCredentials, error) {
+	sess, err := session.NewSession(&aws.Config{
+		Region:              &account.Region,
+		STSRegionalEndpoint: endpoints.RegionalSTSEndpoint,
+		Credentials: credentials.NewStaticCredentials(
+			awsCreds.AWSAccessKey,
+			awsCreds.AWSSecretKey,
+			awsCreds.AWSSessionToken,
+		),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("creating aws session: %w", err)
+	}
+	assumeRoleInput := &sts.AssumeRoleInput{
+		RoleArn:         &account.AssumeRoleARN,
+		RoleSessionName: &account.Username,
+		DurationSeconds: aws.Int64(int64(account.SessionDuration)),
+	}
+	out, err := sts.New(sess).AssumeRole(assumeRoleInput)
+	if err != nil {
+		return nil, fmt.Errorf("failed to assume role: %w", err)
+	}
+
+	return &awsconfig.AWSCredentials{
+		AWSAccessKey:     aws.StringValue(out.Credentials.AccessKeyId),
+		AWSSecretKey:     aws.StringValue(out.Credentials.SecretAccessKey),
+		AWSSessionToken:  aws.StringValue(out.Credentials.SessionToken),
+		AWSSecurityToken: aws.StringValue(out.Credentials.SessionToken),
+		PrincipalARN:     aws.StringValue(out.AssumedRoleUser.Arn),
+		Expires:          out.Credentials.Expiration.Local(),
+		Region:           account.Region,
+	}, nil
+}
+
 // TODO: use the version form saml2aws when modules are fixed
 func (p *ServiceProvider) extractDestinationURL(data []byte) (string, error) {