feat: CSI Token Requests

Author: ThirdEyeSqueegee

README.md

@@ -35,6 +35,29 @@ helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-sto
 kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
 ```
 
+### Separate CSI Driver Installation
+
+If you install the secrets-store-csi-driver separately (not via this Helm chart), you must configure `tokenRequests` in the CSI driver for the AWS provider to authenticate with AWS services:
+
+```shell
+helm upgrade csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver \
+  --set tokenRequests[0].audience="sts.amazonaws.com" \
+  --set tokenRequests[1].audience="pods.eks.amazonaws.com"
+```
+
+Or if using kubectl, add the following to your CSIDriver manifest:
+
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: secrets-store.csi.k8s.io
+spec:
+  tokenRequests:
+    - audience: "sts.amazonaws.com"
+    - audience: "pods.eks.amazonaws.com"
+```
+
 ## Usage
 
 Set the region name and name of your cluster to use in the bash commands that follow:

auth/auth.go

@@ -1,9 +1,6 @@
 /*
  * Package responsible for returning an AWS SDK config with credentials
  * given an AWS region, K8s namespace, and K8s service account.
- *
- * This package requries that the K8s service account be associated with an IAM
- * role via IAM Roles for Service Accounts (IRSA).
  */
 package auth
 
@@ -13,11 +10,9 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
-	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/aws/secrets-store-csi-driver-provider-aws/credential_provider"
 
-	k8sv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/klog/v2"
 )
 
@@ -28,30 +23,27 @@ const (
 // ProviderVersion is injected at build time from the Makefile
 var ProviderVersion = "unknown"
 
-// Auth is the main entry point to retrieve an AWS config. The caller
-// initializes a new Auth object with NewAuth passing the region, namespace, pod name,
-// K8s service account and usePodIdentity flag  (and request context). The caller can then obtain AWS
-// config by calling GetAWSConfig. podIdentityHttpTimeout is used to specify the HTTP timeout used for
-// Pod Identity auth
+// Auth is the main entry point to retrieve an AWS config.
 type Auth struct {
-	region, nameSpace, svcAcc, podName, preferredAddressType, eksAddonVersion string
-	usePodIdentity                                                            bool
-	podIdentityHttpTimeout                                                    *time.Duration
-	k8sClient                                                                 k8sv1.CoreV1Interface
-	stsClient                                                                 stscreds.AssumeRoleWithWebIdentityAPIClient
+	region, nameSpace, svcAcc, preferredAddressType, eksAddonVersion string
+	roleArn                                                          string
+	usePodIdentity                                                   bool
+	podIdentityHttpTimeout                                           *time.Duration
+	serviceAccountTokens                                             string
+	stsClient                                                        *sts.Client
 }
 
 // NewAuth creates an Auth object for an incoming mount request.
 func NewAuth(
-	region, nameSpace, svcAcc, podName, preferredAddressType, eksAddonVersion string,
+	region, nameSpace, svcAcc, preferredAddressType, eksAddonVersion string,
+	roleArn string,
 	usePodIdentity bool,
 	podIdentityHttpTimeout *time.Duration,
-	k8sClient k8sv1.CoreV1Interface,
+	serviceAccountTokens string,
 ) (auth *Auth, e error) {
 	var stsClient *sts.Client
 
 	if !usePodIdentity {
-		// Get an initial config to use for STS calls when using IRSA
 		cfg, err := config.LoadDefaultConfig(context.Background(),
 			config.WithRegion(region),
 			config.WithDefaultsMode(aws.DefaultsModeStandard),
@@ -66,15 +58,14 @@ func NewAuth(
 		region:                 region,
 		nameSpace:              nameSpace,
 		svcAcc:                 svcAcc,
-		podName:                podName,
 		preferredAddressType:   preferredAddressType,
 		eksAddonVersion:        eksAddonVersion,
+		roleArn:                roleArn,
 		usePodIdentity:         usePodIdentity,
 		podIdentityHttpTimeout: podIdentityHttpTimeout,
-		k8sClient:              k8sClient,
+		serviceAccountTokens:   serviceAccountTokens,
 		stsClient:              stsClient,
 	}, nil
-
 }
 
 // getAppID returns the AppID string for User-Agent
@@ -86,11 +77,10 @@ func (p Auth) getAppID() string {
 	return ProviderName + "-" + version
 }
 
-// Get the AWS config associated with a given pod's service account.
-// The returned config is capable of automatically refreshing creds as needed
-// by using a private TokenFetcher helper.
+// GetAWSConfig returns the AWS config for the pod's service account.
 func (p Auth) GetAWSConfig(ctx context.Context) (aws.Config, error) {
 	var credProvider credential_provider.ConfigProvider
+	var err error
 
 	appID := p.getAppID()
 
@@ -99,14 +89,18 @@ func (p Auth) GetAWSConfig(ctx context.Context) (aws.Config, error) {
 		if p.podIdentityHttpTimeout != nil {
 			klog.Infof("Using custom Pod Identity timeout: %v", *p.podIdentityHttpTimeout)
 		}
-		var err error
-		credProvider, err = credential_provider.NewPodIdentityCredentialProvider(p.region, p.nameSpace, p.svcAcc, p.podName, p.preferredAddressType, p.podIdentityHttpTimeout, appID, p.k8sClient)
-		if err != nil {
-			return aws.Config{}, err
-		}
+		credProvider, err = credential_provider.NewPodIdentityCredentialProvider(
+			p.region, p.preferredAddressType, p.podIdentityHttpTimeout, appID, p.serviceAccountTokens,
+		)
 	} else {
 		klog.Infof("Using IAM Roles for Service Accounts for authentication in namespace: %s, service account: %s", p.nameSpace, p.svcAcc)
-		credProvider = credential_provider.NewIRSACredentialProvider(p.stsClient, p.region, p.nameSpace, p.svcAcc, appID, p.k8sClient)
+		credProvider, err = credential_provider.NewIRSACredentialProvider(
+			p.stsClient, p.region, p.roleArn, appID, p.serviceAccountTokens,
+		)
+	}
+
+	if err != nil {
+		return aws.Config{}, err
 	}
 
 	return credProvider.GetAWSConfig(ctx)