Introduce aws_rolesanywhere_trustanchor BundlePublisher plugin (#5048)

* Introduce the aws_rolesanywhere_trustanchor BundlePublisher plugin

* Implement and add tests for the plugin

Signed-off-by: Ajay Gupta <apg76@cornell.edu>

* Add documentation for aws_rolesanywhere_trustanchor BundlePublisher plugin

Signed-off-by: Ajay Gupta <apg76@cornell.edu>

* Apply suggestions from code review

Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: ajay1135 <32616412+ajay1135@users.noreply.github.com>

* Address comments on PR

* Only required rolesanywhere:UpdateTrustAnchor permissions (no creating
  or listing)
* Add note about how this plugin is only supported when an
  UpstreamAuthority plugin is also used
* Use ID instead of trust anchor name to identify trust anchors, as it's
  unique
* Check that certificate bundles don't exceed a length of 8000 before
  making the UpdateTrustAnchor API call
* Make corresponding changes to unit tests

Signed-off-by: Ajay Gupta <apg76@cornell.edu>

* Apply suggestions from code review

Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: ajay1135 <32616412+ajay1135@users.noreply.github.com>

---------

Signed-off-by: Ajay Gupta <apg76@cornell.edu>
Signed-off-by: ajay1135 <32616412+ajay1135@users.noreply.github.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

conf/server/server_full.conf

@@ -929,6 +929,26 @@ plugins {
  # # format = "spiffe"
  # }
  # }
+
+ # BundlePublisher "aws_rolesanywhere_trustanchor": A bundle publisher that puts the current trust
+ # bundle of the server in an AWS IAM Roles Anywhere trust anchor, keeping it updated.
+ # BundlePublisher "aws_rolesanywhere_trustanchor" {
+ # plugin_data {
+ # # region: AWS region to store the trust bundle. Default: "".
+ # # region = "us-east-1"
+
+ # # access_key_id: AWS access key id. Default: value of
+ # # AWS_ACCESS_KEY_ID environment variable.
+ # # access_key_id = ""
+
+ # # secret_access_key: AWS secret access key. Default: value of
+ # # AWS_SECRET_ACCESS_KEY environment variable.
+ # # secret_access_key = ""
+
+ # # trust_anchor_id: The AWS IAM Roles Anywhere trust anchor id of the trust anchor to which to put the trust bundle. Default: "".
+ # # trust_anchor_id = "153d3e58-cab5-4a59-a0a1-3febad2937c4"
+ # }
+ # }
 }
 
 # telemetry: If telemetry is desired use this section to configure the

doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md

@@ -0,0 +1,33 @@
+# Server plugin: BundlePublisher "aws_rolesanywhere_trustanchor"
+
+> [!WARNING]
+> This plugin is only supported when an UpstreamAuthority plugin is used.
+
+The `aws_rolesanywhere_trustanchor` plugin puts the current trust bundle of the server
+in a trust anchor, keeping it updated.
+
+The plugin accepts the following configuration options:
+
+| Configuration | Description | Required | Default |
+|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------|
+| access_key_id | AWS access key id. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_ACCESS_KEY_ID environment variable. |
+| secret_access_key | AWS secret access key. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_SECRET_ACCESS_KEY environment variable. |
+| region | AWS region to store the trust bundle. | Yes. | |
+| trust_anchor_id | The AWS IAM Roles Anywhere trust anchor id of the trust anchor to which to put the trust bundle. | Yes. | |
+
+## AWS IAM Permissions
+
+The user identified by the configured credentials needs to have `rolesanywhere:UpdateTrustAnchor` permissions.
+
+## Sample configuration
+
+The following configuration puts the local trust bundle contents into the `spire-trust-anchor` trust anchor and keeps it updated. The AWS credentials are obtained from the environment.
+
+```hcl
+ BundlePublisher "aws_rolesanywhere_trustanchor" {
+ plugin_data {
+ region = "us-east-1"
+ trust_anchor_id = "153d3e58-cab5-4a59-a0a1-3febad2937c4"
+ }
+ }
+```

doc/spire_server.md

@@ -16,33 +16,34 @@ This document is a configuration reference for SPIRE Server. It includes informa
 
 ## Built-in plugins
 
-| Type | Name | Description |
-|--------------------|----------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
-| DataStore | [sql](/doc/plugin_server_datastore_sql.md) | An SQL database storage for SQLite, PostgreSQL and MySQL databases for the SPIRE datastore |
-| KeyManager | [aws_kms](/doc/plugin_server_keymanager_aws_kms.md) | A key manager which manages keys in AWS KMS |
-| KeyManager | [disk](/doc/plugin_server_keymanager_disk.md) | A key manager which manages keys persisted on disk |
-| KeyManager | [memory](/doc/plugin_server_keymanager_memory.md) | A key manager which manages unpersisted keys in memory |
-| CredentialComposer | [uniqueid](/doc/plugin_server_credentialcomposer_uniqueid.md) | Adds the x509UniqueIdentifier attribute to workload X509-SVIDs. |
-| NodeAttestor | [aws_iid](/doc/plugin_server_nodeattestor_aws_iid.md) | A node attestor which attests agent identity using an AWS Instance Identity Document |
-| NodeAttestor | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
-| NodeAttestor | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
-| NodeAttestor | [join_token](/doc/plugin_server_nodeattestor_jointoken.md) | A node attestor which validates agents attesting with server-generated join tokens |
-| NodeAttestor | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
-| NodeAttestor | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
-| NodeAttestor | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
-| NodeAttestor | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md) | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate |
-| NodeAttestor | [x509pop](/doc/plugin_server_nodeattestor_x509pop.md) | A node attestor which attests agent identity using an existing X.509 certificate |
-| UpstreamAuthority | [disk](/doc/plugin_server_upstreamauthority_disk.md) | Uses a CA loaded from disk to sign SPIRE server intermediate certificates. |
-| UpstreamAuthority | [aws_pca](/doc/plugin_server_upstreamauthority_aws_pca.md) | Uses a Private Certificate Authority from AWS Certificate Manager to sign SPIRE server intermediate certificates. |
-| UpstreamAuthority | [awssecret](/doc/plugin_server_upstreamauthority_awssecret.md) | Uses a CA loaded from AWS SecretsManager to sign SPIRE server intermediate certificates. |
-| UpstreamAuthority | [gcp_cas](/doc/plugin_server_upstreamauthority_gcp_cas.md) | Uses a Private Certificate Authority from GCP Certificate Authority Service to sign SPIRE Server intermediate certificates. |
-| UpstreamAuthority | [vault](/doc/plugin_server_upstreamauthority_vault.md) | Uses a PKI Secret Engine from HashiCorp Vault to sign SPIRE server intermediate certificates. |
-| UpstreamAuthority | [spire](/doc/plugin_server_upstreamauthority_spire.md) | Uses an upstream SPIRE server in the same trust domain to obtain intermediate signing certificates for SPIRE server. |
-| UpstreamAuthority | [cert-manager](/doc/plugin_server_upstreamauthority_cert_manager.md) | Uses a referenced cert-manager Issuer to request intermediate signing certificates. |
-| Notifier | [gcs_bundle](/doc/plugin_server_notifier_gcs_bundle.md) | A notifier that pushes the latest trust bundle contents into an object in Google Cloud Storage. |
-| Notifier | [k8sbundle](/doc/plugin_server_notifier_k8sbundle.md) | A notifier that pushes the latest trust bundle contents into a Kubernetes ConfigMap. |
-| BundlePublisher | [aws_s3](/doc/plugin_server_bundlepublisher_aws_s3.md) | Publishes the trust bundle to an Amazon S3 bucket. |
-| BundlePublisher | [gcp_cloudstorage](/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md) | Publishes the trust bundle to a Google Cloud Storage bucket. |
+| Type | Name | Description |
+|--------------------|--------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| DataStore | [sql](/doc/plugin_server_datastore_sql.md) | An SQL database storage for SQLite, PostgreSQL and MySQL databases for the SPIRE datastore |
+| KeyManager | [aws_kms](/doc/plugin_server_keymanager_aws_kms.md) | A key manager which manages keys in AWS KMS |
+| KeyManager | [disk](/doc/plugin_server_keymanager_disk.md) | A key manager which manages keys persisted on disk |
+| KeyManager | [memory](/doc/plugin_server_keymanager_memory.md) | A key manager which manages unpersisted keys in memory |
+| CredentialComposer | [uniqueid](/doc/plugin_server_credentialcomposer_uniqueid.md) | Adds the x509UniqueIdentifier attribute to workload X509-SVIDs. |
+| NodeAttestor | [aws_iid](/doc/plugin_server_nodeattestor_aws_iid.md) | A node attestor which attests agent identity using an AWS Instance Identity Document |
+| NodeAttestor | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
+| NodeAttestor | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
+| NodeAttestor | [join_token](/doc/plugin_server_nodeattestor_jointoken.md) | A node attestor which validates agents attesting with server-generated join tokens |
+| NodeAttestor | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
+| NodeAttestor | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
+| NodeAttestor | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
+| NodeAttestor | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md) | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate |
+| NodeAttestor | [x509pop](/doc/plugin_server_nodeattestor_x509pop.md) | A node attestor which attests agent identity using an existing X.509 certificate |
+| UpstreamAuthority | [disk](/doc/plugin_server_upstreamauthority_disk.md) | Uses a CA loaded from disk to sign SPIRE server intermediate certificates. |
+| UpstreamAuthority | [aws_pca](/doc/plugin_server_upstreamauthority_aws_pca.md) | Uses a Private Certificate Authority from AWS Certificate Manager to sign SPIRE server intermediate certificates. |
+| UpstreamAuthority | [awssecret](/doc/plugin_server_upstreamauthority_awssecret.md) | Uses a CA loaded from AWS SecretsManager to sign SPIRE server intermediate certificates. |
+| UpstreamAuthority | [gcp_cas](/doc/plugin_server_upstreamauthority_gcp_cas.md) | Uses a Private Certificate Authority from GCP Certificate Authority Service to sign SPIRE Server intermediate certificates. |
+| UpstreamAuthority | [vault](/doc/plugin_server_upstreamauthority_vault.md) | Uses a PKI Secret Engine from HashiCorp Vault to sign SPIRE server intermediate certificates. |
+| UpstreamAuthority | [spire](/doc/plugin_server_upstreamauthority_spire.md) | Uses an upstream SPIRE server in the same trust domain to obtain intermediate signing certificates for SPIRE server. |
+| UpstreamAuthority | [cert-manager](/doc/plugin_server_upstreamauthority_cert_manager.md) | Uses a referenced cert-manager Issuer to request intermediate signing certificates. |
+| Notifier | [gcs_bundle](/doc/plugin_server_notifier_gcs_bundle.md) | A notifier that pushes the latest trust bundle contents into an object in Google Cloud Storage. |
+| Notifier | [k8sbundle](/doc/plugin_server_notifier_k8sbundle.md) | A notifier that pushes the latest trust bundle contents into a Kubernetes ConfigMap. |
+| BundlePublisher | [aws_s3](/doc/plugin_server_bundlepublisher_aws_s3.md) | Publishes the trust bundle to an Amazon S3 bucket. |
+| BundlePublisher | [gcp_cloudstorage](/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md) | Publishes the trust bundle to a Google Cloud Storage bucket. |
+| BundlePublisher | [aws_rolesanywhere_trustanchor](/doc/plugin_server_bundlepublisher_rolesanywhere_trustanchor.md) | Publishes the trust bundle to an AWS IAM Roles Anywhere trust anchor. |
 
 ## Server configuration file
 

go.mod

@@ -17,7 +17,7 @@ require (
  github.com/GoogleCloudPlatform/cloudsql-proxy v1.35.4
  github.com/Microsoft/go-winio v0.6.2
  github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129
- github.com/aws/aws-sdk-go-v2 v1.30.0
+ github.com/aws/aws-sdk-go-v2 v1.30.1
  github.com/aws/aws-sdk-go-v2/config v1.27.18
  github.com/aws/aws-sdk-go-v2/credentials v1.17.18
  github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5
@@ -27,6 +27,7 @@ require (
  github.com/aws/aws-sdk-go-v2/service/iam v1.33.0
  github.com/aws/aws-sdk-go-v2/service/kms v1.34.0
  github.com/aws/aws-sdk-go-v2/service/organizations v1.28.0
+ github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.13.1
  github.com/aws/aws-sdk-go-v2/service/s3 v1.56.0
  github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.31.0
  github.com/aws/aws-sdk-go-v2/service/sts v1.29.0
@@ -136,8 +137,8 @@ require (
  github.com/armon/go-radix v1.0.0 // indirect
  github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
  github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect
  github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
  github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.11 // indirect
  github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 // indirect