Skip to content

Commit

Permalink
Introduce aws_rolesanywhere_trustanchor BundlePublisher plugin (spi…
Browse files Browse the repository at this point in the history 
…ffe#5048)

* Introduce the aws_rolesanywhere_trustanchor BundlePublisher plugin

* Implement and add tests for the plugin

Signed-off-by: Ajay Gupta <apg76@cornell.edu>

* Add documentation for aws_rolesanywhere_trustanchor BundlePublisher plugin

Signed-off-by: Ajay Gupta <apg76@cornell.edu>

* Apply suggestions from code review

Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: ajay1135 <32616412+ajay1135@users.noreply.github.com>

* Address comments on PR

* Only required rolesanywhere:UpdateTrustAnchor permissions (no creating
  or listing)
* Add note about how this plugin is only supported when an
  UpstreamAuthority plugin is also used
* Use ID instead of trust anchor name to identify trust anchors, as it's
  unique
* Check that certificate bundles don't exceed a length of 8000 before
  making the UpdateTrustAnchor API call
* Make corresponding changes to unit tests

Signed-off-by: Ajay Gupta <apg76@cornell.edu>

* Apply suggestions from code review

Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: ajay1135 <32616412+ajay1135@users.noreply.github.com>

---------

Signed-off-by: Ajay Gupta <apg76@cornell.edu>
Signed-off-by: ajay1135 <32616412+ajay1135@users.noreply.github.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
  • Loading branch information
@ajay1135 @amartinezfayo @edwbuck
2 people authored and edwbuck committed Aug 20, 2024
1 parent 4eac726 commit 90881c7
Show file tree
Hide file tree
Showing 11 changed files with 725 additions and 41 deletions.
20 changes: 20 additions & 0 deletions conf/server/server_full.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -929,6 +929,26 @@ plugins {
# # format = "spiffe"
# }
# }

# BundlePublisher "aws_rolesanywhere_trustanchor": A bundle publisher that puts the current trust
# bundle of the server in an AWS IAM Roles Anywhere trust anchor, keeping it updated.
# BundlePublisher "aws_rolesanywhere_trustanchor" {
# plugin_data {
# # region: AWS region to store the trust bundle. Default: "".
# # region = "us-east-1"

# # access_key_id: AWS access key id. Default: value of
# # AWS_ACCESS_KEY_ID environment variable.
# # access_key_id = ""

# # secret_access_key: AWS secret access key. Default: value of
# # AWS_SECRET_ACCESS_KEY environment variable.
# # secret_access_key = ""

# # trust_anchor_id: The AWS IAM Roles Anywhere trust anchor id of the trust anchor to which to put the trust bundle. Default: "".
# # trust_anchor_id = "153d3e58-cab5-4a59-a0a1-3febad2937c4"
# }
# }
}

# telemetry: If telemetry is desired use this section to configure the
Expand Down
33 changes: 33 additions & 0 deletions doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Server plugin: BundlePublisher "aws_rolesanywhere_trustanchor"

> [!WARNING]
> This plugin is only supported when an UpstreamAuthority plugin is used.
The `aws_rolesanywhere_trustanchor` plugin puts the current trust bundle of the server
in a trust anchor, keeping it updated.

The plugin accepts the following configuration options:

| Configuration | Description | Required | Default |
|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------|
| access_key_id | AWS access key id. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_ACCESS_KEY_ID environment variable. |
| secret_access_key | AWS secret access key. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_SECRET_ACCESS_KEY environment variable. |
| region | AWS region to store the trust bundle. | Yes. | |
| trust_anchor_id | The AWS IAM Roles Anywhere trust anchor id of the trust anchor to which to put the trust bundle. | Yes. | |

## AWS IAM Permissions

The user identified by the configured credentials needs to have `rolesanywhere:UpdateTrustAnchor` permissions.

## Sample configuration

The following configuration puts the local trust bundle contents into the `spire-trust-anchor` trust anchor and keeps it updated. The AWS credentials are obtained from the environment.

```hcl
BundlePublisher "aws_rolesanywhere_trustanchor" {
plugin_data {
region = "us-east-1"
trust_anchor_id = "153d3e58-cab5-4a59-a0a1-3febad2937c4"
}
}
```
55 changes: 28 additions & 27 deletions doc/spire_server.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,33 +16,34 @@ This document is a configuration reference for SPIRE Server. It includes informa

## Built-in plugins

| Type | Name | Description |
|--------------------|----------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
| DataStore | [sql](/doc/plugin_server_datastore_sql.md) | An SQL database storage for SQLite, PostgreSQL and MySQL databases for the SPIRE datastore |
| KeyManager | [aws_kms](/doc/plugin_server_keymanager_aws_kms.md) | A key manager which manages keys in AWS KMS |
| KeyManager | [disk](/doc/plugin_server_keymanager_disk.md) | A key manager which manages keys persisted on disk |
| KeyManager | [memory](/doc/plugin_server_keymanager_memory.md) | A key manager which manages unpersisted keys in memory |
| CredentialComposer | [uniqueid](/doc/plugin_server_credentialcomposer_uniqueid.md) | Adds the x509UniqueIdentifier attribute to workload X509-SVIDs. |
| NodeAttestor | [aws_iid](/doc/plugin_server_nodeattestor_aws_iid.md) | A node attestor which attests agent identity using an AWS Instance Identity Document |
| NodeAttestor | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_server_nodeattestor_jointoken.md) | A node attestor which validates agents attesting with server-generated join tokens |
| NodeAttestor | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md) | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate |
| NodeAttestor | [x509pop](/doc/plugin_server_nodeattestor_x509pop.md) | A node attestor which attests agent identity using an existing X.509 certificate |
| UpstreamAuthority | [disk](/doc/plugin_server_upstreamauthority_disk.md) | Uses a CA loaded from disk to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [aws_pca](/doc/plugin_server_upstreamauthority_aws_pca.md) | Uses a Private Certificate Authority from AWS Certificate Manager to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [awssecret](/doc/plugin_server_upstreamauthority_awssecret.md) | Uses a CA loaded from AWS SecretsManager to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [gcp_cas](/doc/plugin_server_upstreamauthority_gcp_cas.md) | Uses a Private Certificate Authority from GCP Certificate Authority Service to sign SPIRE Server intermediate certificates. |
| UpstreamAuthority | [vault](/doc/plugin_server_upstreamauthority_vault.md) | Uses a PKI Secret Engine from HashiCorp Vault to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [spire](/doc/plugin_server_upstreamauthority_spire.md) | Uses an upstream SPIRE server in the same trust domain to obtain intermediate signing certificates for SPIRE server. |
| UpstreamAuthority | [cert-manager](/doc/plugin_server_upstreamauthority_cert_manager.md) | Uses a referenced cert-manager Issuer to request intermediate signing certificates. |
| Notifier | [gcs_bundle](/doc/plugin_server_notifier_gcs_bundle.md) | A notifier that pushes the latest trust bundle contents into an object in Google Cloud Storage. |
| Notifier | [k8sbundle](/doc/plugin_server_notifier_k8sbundle.md) | A notifier that pushes the latest trust bundle contents into a Kubernetes ConfigMap. |
| BundlePublisher | [aws_s3](/doc/plugin_server_bundlepublisher_aws_s3.md) | Publishes the trust bundle to an Amazon S3 bucket. |
| BundlePublisher | [gcp_cloudstorage](/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md) | Publishes the trust bundle to a Google Cloud Storage bucket. |
| Type | Name | Description |
|--------------------|--------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
| DataStore | [sql](/doc/plugin_server_datastore_sql.md) | An SQL database storage for SQLite, PostgreSQL and MySQL databases for the SPIRE datastore |
| KeyManager | [aws_kms](/doc/plugin_server_keymanager_aws_kms.md) | A key manager which manages keys in AWS KMS |
| KeyManager | [disk](/doc/plugin_server_keymanager_disk.md) | A key manager which manages keys persisted on disk |
| KeyManager | [memory](/doc/plugin_server_keymanager_memory.md) | A key manager which manages unpersisted keys in memory |
| CredentialComposer | [uniqueid](/doc/plugin_server_credentialcomposer_uniqueid.md) | Adds the x509UniqueIdentifier attribute to workload X509-SVIDs. |
| NodeAttestor | [aws_iid](/doc/plugin_server_nodeattestor_aws_iid.md) | A node attestor which attests agent identity using an AWS Instance Identity Document |
| NodeAttestor | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_server_nodeattestor_jointoken.md) | A node attestor which validates agents attesting with server-generated join tokens |
| NodeAttestor | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md) | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate |
| NodeAttestor | [x509pop](/doc/plugin_server_nodeattestor_x509pop.md) | A node attestor which attests agent identity using an existing X.509 certificate |
| UpstreamAuthority | [disk](/doc/plugin_server_upstreamauthority_disk.md) | Uses a CA loaded from disk to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [aws_pca](/doc/plugin_server_upstreamauthority_aws_pca.md) | Uses a Private Certificate Authority from AWS Certificate Manager to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [awssecret](/doc/plugin_server_upstreamauthority_awssecret.md) | Uses a CA loaded from AWS SecretsManager to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [gcp_cas](/doc/plugin_server_upstreamauthority_gcp_cas.md) | Uses a Private Certificate Authority from GCP Certificate Authority Service to sign SPIRE Server intermediate certificates. |
| UpstreamAuthority | [vault](/doc/plugin_server_upstreamauthority_vault.md) | Uses a PKI Secret Engine from HashiCorp Vault to sign SPIRE server intermediate certificates. |
| UpstreamAuthority | [spire](/doc/plugin_server_upstreamauthority_spire.md) | Uses an upstream SPIRE server in the same trust domain to obtain intermediate signing certificates for SPIRE server. |
| UpstreamAuthority | [cert-manager](/doc/plugin_server_upstreamauthority_cert_manager.md) | Uses a referenced cert-manager Issuer to request intermediate signing certificates. |
| Notifier | [gcs_bundle](/doc/plugin_server_notifier_gcs_bundle.md) | A notifier that pushes the latest trust bundle contents into an object in Google Cloud Storage. |
| Notifier | [k8sbundle](/doc/plugin_server_notifier_k8sbundle.md) | A notifier that pushes the latest trust bundle contents into a Kubernetes ConfigMap. |
| BundlePublisher | [aws_s3](/doc/plugin_server_bundlepublisher_aws_s3.md) | Publishes the trust bundle to an Amazon S3 bucket. |
| BundlePublisher | [gcp_cloudstorage](/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md) | Publishes the trust bundle to a Google Cloud Storage bucket. |
| BundlePublisher | [aws_rolesanywhere_trustanchor](/doc/plugin_server_bundlepublisher_rolesanywhere_trustanchor.md) | Publishes the trust bundle to an AWS IAM Roles Anywhere trust anchor. |

## Server configuration file

Expand Down
7 changes: 4 additions & 3 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ require (
github.com/GoogleCloudPlatform/cloudsql-proxy v1.35.4
github.com/Microsoft/go-winio v0.6.2
github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129
github.com/aws/aws-sdk-go-v2 v1.30.0
github.com/aws/aws-sdk-go-v2 v1.30.1
github.com/aws/aws-sdk-go-v2/config v1.27.18
github.com/aws/aws-sdk-go-v2/credentials v1.17.18
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5
Expand All @@ -27,6 +27,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/iam v1.33.0
github.com/aws/aws-sdk-go-v2/service/kms v1.34.0
github.com/aws/aws-sdk-go-v2/service/organizations v1.28.0
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.13.1
github.com/aws/aws-sdk-go-v2/service/s3 v1.56.0
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.31.0
github.com/aws/aws-sdk-go-v2/service/sts v1.29.0
Expand Down Expand Up @@ -136,8 +137,8 @@ require (
github.com/armon/go-radix v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.11 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 // indirect
Expand Down
Loading

0 comments on commit 90881c7

Please sign in to comment.