ref: use AWS's AssumeRoleProvider to refresh credentials

2025-10-19 05:41:00 +02:00 · 2018-04-17 17:33:41 +02:00 · 2018-04-17 17:33:41 +02:00 · 4dd4decf7d
commit 4dd4decf7d
parent 587b4128cb
3 changed files with 10 additions and 24 deletions
--- a/pkg/apis/externaldns/types.go
+++ b/pkg/apis/externaldns/types.go
@ -91,6 +91,7 @@ var defaultConfig = &Config{
 	GoogleProject:            "",
 	DomainFilter:             []string{},
 	AWSZoneType:              "",
 	AWSAssumeRole:            "",
 	AzureConfigFile:          "/etc/kubernetes/azure.json",
 	AzureResourceGroup:       "",
 	CloudflareProxied:        false,
@ -165,7 +166,7 @@ func (cfg *Config) ParseFlags(args []string) error {
 	app.Flag("zone-id-filter", "Filter target zones by hosted zone id; specify multiple times for multiple zones (optional)").Default("").StringsVar(&cfg.ZoneIDFilter)
 	app.Flag("google-project", "When using the Google provider, current project is auto-detected, when running on GCP. Specify other project with this. Must be specified when running outside GCP.").Default(defaultConfig.GoogleProject).StringVar(&cfg.GoogleProject)
 	app.Flag("aws-zone-type", "When using the AWS provider, filter for zones of this type (optional, options: public, private)").Default(defaultConfig.AWSZoneType).EnumVar(&cfg.AWSZoneType, "", "public", "private")
-	app.Flag("aws-assume-role", "TODO").StringVar(&cfg.AWSAssumeRole)
+	app.Flag("aws-assume-role", "When using the AWS provider, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123455567:role/external-dns` (optional)").Default(defaultConfig.AWSAssumeRole).StringVar(&cfg.AWSAssumeRole)
 	app.Flag("azure-config-file", "When using the Azure provider, specify the Azure configuration file (required when --provider=azure").Default(defaultConfig.AzureConfigFile).StringVar(&cfg.AzureConfigFile)
 	app.Flag("azure-resource-group", "When using the Azure provider, override the Azure resource group to use (optional)").Default(defaultConfig.AzureResourceGroup).StringVar(&cfg.AzureResourceGroup)
 	app.Flag("cloudflare-proxied", "When using the Cloudflare provider, specify if the proxy mode must be enabled (default: disabled)").BoolVar(&cfg.CloudflareProxied)
--- a/pkg/apis/externaldns/types_test.go
+++ b/pkg/apis/externaldns/types_test.go
@ -40,6 +40,7 @@ var (
 		DomainFilter:         []string{""},
 		ZoneIDFilter:         []string{""},
 		AWSZoneType:          "",
 		AWSAssumeRole:        "",
 		AzureConfigFile:      "/etc/kubernetes/azure.json",
 		AzureResourceGroup:   "",
 		CloudflareProxied:    false,
@ -74,6 +75,7 @@ var (
 		DomainFilter:         []string{"example.org", "company.com"},
 		ZoneIDFilter:         []string{"/hostedzone/ZTST1", "/hostedzone/ZTST2"},
 		AWSZoneType:          "private",
 		AWSAssumeRole:        "some-other-role",
 		AzureConfigFile:      "azure.json",
 		AzureResourceGroup:   "arg",
 		CloudflareProxied:    true,
@ -141,6 +143,7 @@ func TestParseFlags(t *testing.T) {
 				"--zone-id-filter=/hostedzone/ZTST1",
 				"--zone-id-filter=/hostedzone/ZTST2",
 				"--aws-zone-type=private",
 				"--aws-assume-role=some-other-role",
 				"--policy=upsert-only",
 				"--registry=noop",
 				"--txt-owner-id=owner-1",
@ -180,6 +183,7 @@ func TestParseFlags(t *testing.T) {
 				"EXTERNAL_DNS_DOMAIN_FILTER":          "example.org\ncompany.com",
 				"EXTERNAL_DNS_ZONE_ID_FILTER":         "/hostedzone/ZTST1\n/hostedzone/ZTST2",
 				"EXTERNAL_DNS_AWS_ZONE_TYPE":          "private",
 				"EXTERNAL_DNS_AWS_ASSUME_ROLE":        "some-other-role",
 				"EXTERNAL_DNS_POLICY":                 "upsert-only",
 				"EXTERNAL_DNS_REGISTRY":               "noop",
 				"EXTERNAL_DNS_TXT_OWNER_ID":           "owner-1",
--- a/provider/aws.go
+++ b/provider/aws.go
@ -21,10 +21,9 @@ import (
 	"strings"
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/kubernetes-incubator/external-dns/endpoint"
 	"github.com/kubernetes-incubator/external-dns/plan"
 	"github.com/linki/instrumented_http"
@ -84,7 +83,7 @@ type AWSProvider struct {
 func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTypeFilter ZoneTypeFilter, assumeRole string, dryRun bool) (*AWSProvider, error) {
 	config := aws.NewConfig()
-	config = config.WithHTTPClient(
+	config.WithHTTPClient(
 		instrumented_http.NewClient(config.HTTPClient, &instrumented_http.Callbacks{
 			PathProcessor: func(path string) string {
 				parts := strings.Split(path, "/")
@ -102,26 +101,8 @@ func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTy
 	}
 	if assumeRole != "" {
-		svc := sts.New(session)
+		log.Infof("Assuming role: %s", assumeRole)
-
+		config.WithCredentials(stscreds.NewCredentials(session, assumeRole))
 		params := &sts.AssumeRoleInput{
 			RoleArn:         aws.String(assumeRole),
 			RoleSessionName: aws.String("external-dns"),
 		}
 		log.Infof("Assuming role %s..", aws.StringValue(params.RoleArn))
 		resp, err := svc.AssumeRole(params)
 		if err != nil {
 			return nil, err
 		}
 		session.Config.WithCredentials(credentials.NewStaticCredentialsFromCreds(credentials.Value{
 			AccessKeyID:     aws.StringValue(resp.Credentials.AccessKeyId),
 			SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey),
 			SessionToken:    aws.StringValue(resp.Credentials.SessionToken),
 			ProviderName:    "assumeRoleProvider",
 		}))
 	}
 	provider := &AWSProvider{