Merge pull request #1155 from fletcherw/fletcherw/session_token

Support ServiceAccountToken in ecr-credential-provider

Author: k8s-ci-robot

cmd/ecr-credential-provider/main.go

@@ -31,6 +31,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/spf13/cobra"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -54,9 +55,15 @@ type ECRPublic interface {
 	GetAuthorizationToken(ctx context.Context, params *ecrpublic.GetAuthorizationTokenInput, optFns ...func(*ecrpublic.Options)) (*ecrpublic.GetAuthorizationTokenOutput, error)
 }
 
+// STS abstracts the calls we make to aws-sdk for testing purposes
+type STS interface {
+	AssumeRoleWithWebIdentity(context.Context, *sts.AssumeRoleWithWebIdentityInput, ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error)
+}
+
 type ecrPlugin struct {
 	ecr       ECR
 	ecrPublic ECRPublic
+	sts       STS
 }
 
 func defaultECRProvider(ctx context.Context, region string) (ECR, error) {
@@ -91,12 +98,30 @@ func publicECRProvider(ctx context.Context) (ECRPublic, error) {
 	return ecrpublic.NewFromConfig(cfg), nil
 }
 
+func stsProvider(ctx context.Context, region string) (STS, error) {
+	var cfg aws.Config
+	var err error
+	if region != "" {
+		cfg, err = config.LoadDefaultConfig(ctx,
+			config.WithRegion(region),
+		)
+	} else {
+		klog.Warningf("No region found in the image reference, the default region will be used. Please refer to AWS SDK documentation for configuration purpose.")
+		cfg, err = config.LoadDefaultConfig(ctx)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	return sts.NewFromConfig(cfg), nil
+}
+
 type credsData struct {
 	authToken *string
 	expiresAt *time.Time
 }
 
-func (e *ecrPlugin) getPublicCredsData(ctx context.Context) (*credsData, error) {
+func (e *ecrPlugin) getPublicCredsData(ctx context.Context, optFns ...func(*ecrpublic.Options)) (*credsData, error) {
 	klog.Infof("Getting creds for public registry")
 	var err error
 
@@ -107,7 +132,7 @@ func (e *ecrPlugin) getPublicCredsData(ctx context.Context) (*credsData, error)
 		return nil, err
 	}
 
-	output, err := e.ecrPublic.GetAuthorizationToken(ctx, &ecrpublic.GetAuthorizationTokenInput{})
+	output, err := e.ecrPublic.GetAuthorizationToken(ctx, &ecrpublic.GetAuthorizationTokenInput{}, optFns...)
 	if err != nil {
 		return nil, err
 	}
@@ -126,7 +151,7 @@ func (e *ecrPlugin) getPublicCredsData(ctx context.Context) (*credsData, error)
 	}, nil
 }
 
-func (e *ecrPlugin) getPrivateCredsData(ctx context.Context, imageHost string, image string) (*credsData, error) {
+func (e *ecrPlugin) getPrivateCredsData(ctx context.Context, imageHost string, image string, optFns ...func(*ecr.Options)) (*credsData, error) {
 	klog.Infof("Getting creds for private image %s", image)
 	var err error
 
@@ -137,7 +162,8 @@ func (e *ecrPlugin) getPrivateCredsData(ctx context.Context, imageHost string, i
 			return nil, err
 		}
 	}
-	output, err := e.ecr.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
+
+	output, err := e.ecr.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{}, optFns...)
 	if err != nil {
 		return nil, err
 	}
@@ -153,19 +179,83 @@ func (e *ecrPlugin) getPrivateCredsData(ctx context.Context, imageHost string, i
 	}, nil
 }
 
-func (e *ecrPlugin) GetCredentials(ctx context.Context, image string, args []string) (*v1.CredentialProviderResponse, error) {
+func (e *ecrPlugin) buildCredentialsProvider(ctx context.Context, request *v1.CredentialProviderRequest, imageHost string) (aws.CredentialsProvider, error) {
+	var err error
+
+	arn, ok := request.ServiceAccountAnnotations["eks.amazonaws.com/ecr-role-arn"]
+	if !ok {
+		arn = os.Getenv("AWS_ECR_ROLE_ARN")
+	}
+	if arn == "" {
+		return nil, errors.New("no arn provided, cannot assume role using ServiceAccountToken")
+	}
+
+	if e.sts == nil {
+		region := ""
+		if imageHost != ecrPublicHost {
+			region = parseRegionFromECRPrivateHost(imageHost)
+		}
+		e.sts, err = stsProvider(ctx, region)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) {
+			assumeOutput, err := e.sts.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityInput{
+				RoleArn:          aws.String(arn),
+				RoleSessionName:  aws.String("ecr-credential-provider"),
+				WebIdentityToken: aws.String(request.ServiceAccountToken),
+			})
+			if err != nil {
+				return aws.Credentials{}, fmt.Errorf("failed to assume role: %w", err)
+			}
+			return aws.Credentials{
+				AccessKeyID:     *assumeOutput.Credentials.AccessKeyId,
+				SecretAccessKey: *assumeOutput.Credentials.SecretAccessKey,
+				SessionToken:    *assumeOutput.Credentials.SessionToken,
+			}, nil
+		}),
+		nil
+}
+
+func (e *ecrPlugin) GetCredentials(ctx context.Context, request *v1.CredentialProviderRequest, args []string) (*v1.CredentialProviderResponse, error) {
 	var creds *credsData
 	var err error
 
-	imageHost, err := parseHostFromImageReference(image)
+	if request.Image == "" {
+		return nil, errors.New("image in plugin request was empty")
+	}
+
+	imageHost, err := parseHostFromImageReference(request.Image)
 	if err != nil {
 		return nil, err
 	}
 
+	var credentialsProvider aws.CredentialsProvider = nil
+	if request.ServiceAccountToken != "" {
+		credentialsProvider, err = e.buildCredentialsProvider(ctx, request, imageHost)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	if imageHost == ecrPublicHost {
-		creds, err = e.getPublicCredsData(ctx)
+		var optFns = []func(*ecrpublic.Options){}
+		if credentialsProvider != nil {
+			optFns = append(optFns, func(o *ecrpublic.Options) {
+				o.Credentials = credentialsProvider
+			})
+		}
+		creds, err = e.getPublicCredsData(ctx, optFns...)
 	} else {
-		creds, err = e.getPrivateCredsData(ctx, imageHost, image)
+		var optFns = []func(*ecr.Options){}
+		if credentialsProvider != nil {
+			optFns = append(optFns, func(o *ecr.Options) {
+				o.Credentials = credentialsProvider
+			})
+		}
+		creds, err = e.getPrivateCredsData(ctx, imageHost, request.Image, optFns...)
 	}
 
 	if err != nil {

cmd/ecr-credential-provider/main_test.go

@@ -29,6 +29,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecr/types"
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
 	publictypes "github.com/aws/aws-sdk-go-v2/service/ecrpublic/types"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	ststypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
 	"github.com/stretchr/testify/mock"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1"
@@ -40,6 +42,15 @@ type MockedECR struct {
 
 func (m *MockedECR) GetAuthorizationToken(ctx context.Context, params *ecr.GetAuthorizationTokenInput, optFns ...func(*ecr.Options)) (*ecr.GetAuthorizationTokenOutput, error) {
 	args := m.Called(ctx, params)
+
+	opts := ecr.Options{}
+	for _, fn := range optFns {
+		fn(&opts)
+	}
+	if opts.Credentials != nil {
+		opts.Credentials.Retrieve(ctx)
+	}
+
 	if args.Get(1) != nil {
 		return args.Get(0).(*ecr.GetAuthorizationTokenOutput), args.Get(1).(error)
 	}
@@ -59,6 +70,18 @@ func (m *MockedECRPublic) GetAuthorizationToken(ctx context.Context, params *ecr
 	return args.Get(0).(*ecrpublic.GetAuthorizationTokenOutput), nil
 }
 
+type MockedSTS struct {
+	mock.Mock
+}
+
+func (m *MockedSTS) AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error) {
+	args := m.Called(ctx, params)
+	if args.Get(1) != nil {
+		return args.Get(0).(*sts.AssumeRoleWithWebIdentityOutput), args.Get(1).(error)
+	}
+	return args.Get(0).(*sts.AssumeRoleWithWebIdentityOutput), nil
+}
+
 func generatePrivateGetAuthorizationTokenOutput(user string, password string, proxy string, expiration *time.Time) *ecr.GetAuthorizationTokenOutput {
 	creds := []byte(fmt.Sprintf("%s:%s", user, password))
 	data := types.AuthorizationData{
@@ -159,7 +182,7 @@ func Test_GetCredentials_Private(t *testing.T) {
 			p := &ecrPlugin{ecr: &mockECR}
 			mockECR.On("GetAuthorizationToken", mock.Anything, mock.Anything).Return(testcase.getAuthorizationTokenOutput, testcase.getAuthorizationTokenError)
 
-			creds, err := p.GetCredentials(context.TODO(), testcase.image, testcase.args)
+			creds, err := p.GetCredentials(context.TODO(), &v1.CredentialProviderRequest{Image: testcase.image}, testcase.args)
 
 			if testcase.expectedError != nil && (testcase.expectedError.Error() != err.Error()) {
 				t.Fatalf("expected %s, got %s", testcase.expectedError.Error(), err.Error())
@@ -182,7 +205,101 @@ func Test_GetCredentials_Private(t *testing.T) {
 	}
 }
 
-func generatePublicGetAuthorizationTokenOutput(user string, password string, proxy string, expiration *time.Time) *ecrpublic.GetAuthorizationTokenOutput {
+func Test_GetCredentials_PrivateForServiceAccount(t *testing.T) {
+	testcases := []struct {
+		name                            string
+		request                         *v1.CredentialProviderRequest
+		args                            []string
+		expectedAssumeArn               string
+		getAuthorizationTokenOutput     *ecr.GetAuthorizationTokenOutput
+		getAuthorizationTokenError      error
+		assumeRoleWithWebIdentityOutput *sts.AssumeRoleWithWebIdentityOutput
+		assumeRoleWithWebIdentityError  error
+		response                        *v1.CredentialProviderResponse
+		expectedError                   error
+	}{
+		{
+			name:                        "success",
+			request:                     &v1.CredentialProviderRequest{Image: "123456789123.dkr.ecr.us-west-2.amazonaws.com", ServiceAccountToken: "DEADBEEF=", ServiceAccountAnnotations: map[string]string{"eks.amazonaws.com/ecr-role-arn": "arn:expected"}},
+			expectedAssumeArn:           "arn:expected",
+			getAuthorizationTokenOutput: generatePrivateGetAuthorizationTokenOutput("user", "pass", "", nil),
+			assumeRoleWithWebIdentityOutput: &sts.AssumeRoleWithWebIdentityOutput{
+				Credentials: &ststypes.Credentials{
+					AccessKeyId:     aws.String("access-key-id"),
+					SecretAccessKey: aws.String("secret-access-key"),
+					SessionToken:    aws.String("session-token"),
+				},
+			},
+			response: generateResponse("123456789123.dkr.ecr.us-west-2.amazonaws.com", "user", "pass"),
+		},
+		{
+			name:                        "no arn provided",
+			request:                     &v1.CredentialProviderRequest{Image: "123456789123.dkr.ecr.us-west-2.amazonaws.com", ServiceAccountToken: "DEADBEEF="},
+			expectedAssumeArn:           "arn:expected",
+			getAuthorizationTokenOutput: generatePrivateGetAuthorizationTokenOutput("user", "pass", "", nil),
+			assumeRoleWithWebIdentityOutput: &sts.AssumeRoleWithWebIdentityOutput{
+				Credentials: &ststypes.Credentials{
+					AccessKeyId:     aws.String("access-key-id"),
+					SecretAccessKey: aws.String("secret-access-key"),
+					SessionToken:    aws.String("session-token"),
+				},
+			},
+			response:      generateResponse("123456789123.dkr.ecr.us-west-2.amazonaws.com", "user", "pass"),
+			expectedError: errors.New("no arn provided, cannot assume role using ServiceAccountToken"),
+		},
+		{
+			name:                           "assume error",
+			request:                        &v1.CredentialProviderRequest{Image: "123456789123.dkr.ecr.us-west-2.amazonaws.com", ServiceAccountToken: "DEADBEEF=", ServiceAccountAnnotations: map[string]string{"eks.amazonaws.com/ecr-role-arn": "arn:expected"}},
+			expectedAssumeArn:              "arn:expected",
+			getAuthorizationTokenOutput:    generatePrivateGetAuthorizationTokenOutput("user", "pass", "", nil),
+			assumeRoleWithWebIdentityError: errors.New("injected error"),
+			response:                       generateResponse("123456789123.dkr.ecr.us-west-2.amazonaws.com", "user", "pass"),
+			expectedError:                  errors.New("injected error"),
+		},
+	}
+	for _, testcase := range testcases {
+		t.Run(testcase.name, func(t *testing.T) {
+			mockECR := MockedECR{}
+			mockSTS := MockedSTS{}
+			p := &ecrPlugin{ecr: &mockECR, sts: &mockSTS}
+			mockECR.On("GetAuthorizationToken", mock.Anything, mock.Anything).Return(testcase.getAuthorizationTokenOutput, testcase.getAuthorizationTokenError)
+
+			expectedInput := sts.AssumeRoleWithWebIdentityInput{
+				RoleArn:          aws.String(testcase.expectedAssumeArn),
+				RoleSessionName:  aws.String("ecr-credential-provider"),
+				WebIdentityToken: aws.String(testcase.request.ServiceAccountToken),
+			}
+			mockSTS.On("AssumeRoleWithWebIdentity", mock.Anything, &expectedInput).Return(testcase.assumeRoleWithWebIdentityOutput, testcase.assumeRoleWithWebIdentityError)
+			creds, err := p.GetCredentials(context.TODO(), testcase.request, testcase.args)
+			if err != nil {
+				if testcase.expectedError == nil {
+					t.Fatalf("got unexpected error %s", err.Error())
+
+				}
+
+				if testcase.expectedError.Error() != err.Error() {
+					t.Fatalf("expected %s, got %s", testcase.expectedError.Error(), err.Error())
+				}
+			}
+
+			if testcase.expectedError == nil {
+				if creds.CacheKeyType != testcase.response.CacheKeyType {
+					t.Fatalf("Unexpected CacheKeyType. Expected: %s, got: %s", testcase.response.CacheKeyType, creds.CacheKeyType)
+				}
+
+				if creds.Auth[testcase.request.Image] != testcase.response.Auth[testcase.request.Image] {
+					t.Fatalf("Unexpected Auth. Expected: %s, got: %s", testcase.response.Auth[testcase.request.Image], creds.Auth[testcase.request.Image])
+				}
+
+				if creds.CacheDuration.Duration != testcase.response.CacheDuration.Duration {
+					t.Fatalf("Unexpected CacheDuration. Expected: %s, got: %s", testcase.response.CacheDuration.Duration, creds.CacheDuration.Duration)
+				}
+			}
+		})
+	}
+}
+
+func generatePublicGetAuthorizationTokenOutput(user string, password string, expiration *time.Time) *ecrpublic.GetAuthorizationTokenOutput {
 	creds := []byte(fmt.Sprintf("%s:%s", user, password))
 	data := &publictypes.AuthorizationData{
 		AuthorizationToken: aws.String(base64.StdEncoding.EncodeToString(creds)),
@@ -207,9 +324,16 @@ func Test_GetCredentials_Public(t *testing.T) {
 		{
 			name:                        "success",
 			image:                       "public.ecr.aws",
-			getAuthorizationTokenOutput: generatePublicGetAuthorizationTokenOutput("user", "pass", "", nil),
+			getAuthorizationTokenOutput: generatePublicGetAuthorizationTokenOutput("user", "pass", nil),
 			response:                    generateResponse("public.ecr.aws", "user", "pass"),
 		},
+		{
+			name:                        "empty image",
+			image:                       "",
+			getAuthorizationTokenOutput: &ecrpublic.GetAuthorizationTokenOutput{},
+			getAuthorizationTokenError:  nil,
+			expectedError:               errors.New("image in plugin request was empty"),
+		},
 		{
 			name:                        "empty authorization data",
 			image:                       "public.ecr.aws",
@@ -257,7 +381,7 @@ func Test_GetCredentials_Public(t *testing.T) {
 			p := &ecrPlugin{ecrPublic: &mockECRPublic}
 			mockECRPublic.On("GetAuthorizationToken", mock.Anything, mock.Anything).Return(testcase.getAuthorizationTokenOutput, testcase.getAuthorizationTokenError)
 
-			creds, err := p.GetCredentials(context.TODO(), testcase.image, testcase.args)
+			creds, err := p.GetCredentials(context.TODO(), &v1.CredentialProviderRequest{Image: testcase.image}, testcase.args)
 
 			if testcase.expectedError != nil && (testcase.expectedError.Error() != err.Error()) {
 				t.Fatalf("expected %s, got %s", testcase.expectedError.Error(), err.Error())

cmd/ecr-credential-provider/plugin.go

@@ -28,7 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 	"k8s.io/kubelet/pkg/apis/credentialprovider/install"
-	"k8s.io/kubelet/pkg/apis/credentialprovider/v1"
+	v1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1"
 )
 
 var (
@@ -43,7 +43,7 @@ func init() {
 // CredentialProvider is an interface implemented by the kubelet credential provider plugin to fetch
 // the username/password based on the provided image name.
 type CredentialProvider interface {
-	GetCredentials(ctx context.Context, image string, args []string) (response *v1.CredentialProviderResponse, err error)
+	GetCredentials(ctx context.Context, request *v1.CredentialProviderRequest, args []string) (response *v1.CredentialProviderResponse, err error)
 }
 
 // ExecPlugin implements the exec-based plugin for fetching credentials that is invoked by the kubelet.
@@ -85,11 +85,7 @@ func (e *ExecPlugin) runPlugin(ctx context.Context, r io.Reader, w io.Writer, ar
 		return err
 	}
 
-	if request.Image == "" {
-		return errors.New("image in plugin request was empty")
-	}
-
-	response, err := e.plugin.GetCredentials(ctx, request.Image, args)
+	response, err := e.plugin.GetCredentials(ctx, request, args)
 	if err != nil {
 		return err
 	}