Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plugin/rest: Adds AWS Web Identity support #2725

Merged
merged 3 commits into from
Oct 23, 2020
Merged

plugin/rest: Adds AWS Web Identity support #2725

merged 3 commits into from
Oct 23, 2020

Conversation

RichiCoder1
Copy link
Contributor

@RichiCoder1 RichiCoder1 commented Sep 25, 2020
edited
Loading

Adds support for signing S3 requests using Web Identity credentials. Specifically supports the Env Var version that's used in EKS IRSA.

Closes: #2462

Remaining Work:

  • Test Coverage
  • Documentation

@tsandall
Copy link
Member

@patrick-east PTAL

patrick-east
patrick-east reviewed Sep 25, 2020
View reviewed changes
Copy link
Contributor

@patrick-east patrick-east left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking pretty good 👍

Once the remaining TODO's are finished we should be in good shape.

You'll need to remove the changes from internal/compiler/wasm/opa, I don't think those should be getting modified from these changes.

@RichiCoder1
Copy link
Contributor Author

You'll need to remove the changes from internal/compiler/wasm/opa, I don't think those should be getting modified from these changes.

I figured. Came from just running make, might be an env quirk. Will splice em out once I get test coverage done.

@RichiCoder1 RichiCoder1 force-pushed the feat/aws_web_identity branch 2 times, most recently from 1b18a93 to e0edac3 Compare September 26, 2020 21:44
@RichiCoder1
Copy link
Contributor Author

Added test coverage and some basic documentation. LMK how it looks!

@RichiCoder1 RichiCoder1 marked this pull request as ready for review September 26, 2020 22:22
@RichiCoder1
Copy link
Contributor Author

Aside: Is there a trick to getting my doc changes to show in the preview? Doesn't seem to be showing up.

@patrick-east
Copy link
Contributor

Aside: Is there a trick to getting my doc changes to show in the preview? Doesn't seem to be showing up.

They're under the edge version for the PR: https://deploy-preview-2725--openpolicyagent.netlify.app/docs/edge/configuration/#aws-signature (which on the "live" site is showing the docs for master)

@RichiCoder1
Copy link
Contributor Author

They're under the edge version for the PR: deploy-preview-2725--openpolicyagent.netlify.app/docs/edge/configuration/#aws-signature (which on the "live" site is showing the docs for master)

Aha! There we go.

@patrick-east
Copy link
Contributor

Changes look good!

Do you by chance have pointers to instructions/examples to try this out?

@RichiCoder1
Copy link
Contributor Author

Do you by chance have pointers to instructions/examples to try this out?

Sadly the answer is spinning up an IAM role, s3 bucket w/ permissions, and EKS cluster, and then launching an OPA pod on that cluster w/ the approriate annotations on that pods SA.
That said, I already have all the above so I can give this a test run and report back this week.

@patrick-east
Copy link
Contributor

That said, I already have all the above so I can give this a test run and report back this week.

@RichiCoder1 did you have a chance to try it out with the full setup?

@RichiCoder1
Copy link
Contributor Author

did you have a chance to try it out with the full setup?

Sadly, no. We're launching a big feature and it ate up my time. Reaching the tail end of that though, hoping to circle back around.

@RichiCoder1 RichiCoder1 force-pushed the feat/aws_web_identity branch 2 times, most recently from 8eee6d9 to ea01da6 Compare October 22, 2020 00:51
@RichiCoder1
Copy link
Contributor Author

Finally was able to test! Luckily due to the nature of this change, was able to swipe a token off of my cluster.
Discovered two issues, I was missing a Version param in STS, and I needed to require the Region for signing. Both are resolved and I can confirm it's functional locally. Gonna resolve the merge and issues and this should be good to go.

@RichiCoder1 RichiCoder1 force-pushed the feat/aws_web_identity branch from ea01da6 to f1b8434 Compare October 22, 2020 01:06
@RichiCoder1
plugin/rest: Adds AWS Web Identity support
2761665 
Adds support for signing S3 requests using Web Identity credentials. Specifically supports the Env Var version that's used in EKS IRSA.

Closes: open-policy-agent#2463
Signed-off-by: Richard Simpson <richardsimpson@outlook.com>
@RichiCoder1 RichiCoder1 force-pushed the feat/aws_web_identity branch from f1b8434 to 2761665 Compare October 22, 2020 01:07
patrick-east
patrick-east approved these changes Oct 23, 2020
View reviewed changes
Copy link
Contributor

@patrick-east patrick-east left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for getting it tested out!

@patrick-east patrick-east merged commit ab9e9ad into open-policy-agent:master Oct 23, 2020
@RichiCoder1 RichiCoder1 deleted the feat/aws_web_identity branch October 23, 2020 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrick-east patrick-east patrick-east approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support EKS IRSA for Signing S3 Bundle Requests
3 participants
@RichiCoder1 @tsandall @patrick-east