Skip to content
Snippets Groups Projects
Commit 11fe320f authored by Stan Hu's avatar Stan Hu
Browse files

Support instance profiles for IAM role for Amazon EKS integration

Admins can omit static credentials and rely on instance profiles
attached to an IAM role to retrieve temporary credentials.

Relates to #291015
parent a3c102b8
No related branches found
No related tags found
1 merge request!49212Support instance profiles for IAM role for Amazon EKS integration
......@@ -370,11 +370,11 @@ def self.repository_storages_weighted_attributes
validates :eks_access_key_id,
length: { in: 16..128 },
if: :eks_integration_enabled?
if: -> (setting) { setting.eks_integration_enabled? && setting.eks_access_key_id.present? }
validates :eks_secret_access_key,
presence: true,
if: :eks_integration_enabled?
if: -> (setting) { setting.eks_integration_enabled? && setting.eks_access_key_id.present? }
validates_with X509CertificateCredentialsValidator,
certificate: :external_auth_client_cert,
......
......@@ -30,10 +30,17 @@ def execute
attr_reader :provider, :region
def client
::Aws::STS::Client.new(credentials: gitlab_credentials, region: region)
::Aws::STS::Client.new(**client_args)
end
def client_args
{ region: region, credentials: gitlab_credentials }.compact
end
def gitlab_credentials
# These are not needed for IAM instance profiles
return unless access_key_id.present? && secret_access_key.present?
::Aws::Credentials.new(access_key_id, secret_access_key)
end
......
......@@ -24,8 +24,13 @@
.form-group
= f.label :eks_access_key_id, 'Access key ID', class: 'label-bold'
= f.text_field :eks_access_key_id, class: 'form-control'
.form-text.text-muted
= _('AWS Access Key. Only required if not using role instance credentials')
.form-group
= f.label :eks_secret_access_key, 'Secret access key', class: 'label-bold'
= f.password_field :eks_secret_access_key, autocomplete: 'off', class: 'form-control'
.form-text.text-muted
= _('AWS Secret Access Key. Only required if not using role instance credentials')
= f.submit 'Save changes', class: "gl-button btn btn-success"
---
title: Support instance profiles for IAM role for Amazon EKS integration
merge_request: 49212
author:
type: added
......@@ -259,7 +259,18 @@
it { is_expected.to allow_value('access-key-id-12').for(:eks_access_key_id) }
it { is_expected.not_to allow_value('a' * 129).for(:eks_access_key_id) }
it { is_expected.not_to allow_value('short-key').for(:eks_access_key_id) }
it { is_expected.not_to allow_value(nil).for(:eks_access_key_id) }
it { is_expected.to allow_value(nil).for(:eks_access_key_id) }
it { is_expected.to allow_value('secret-access-key').for(:eks_secret_access_key) }
it { is_expected.to allow_value(nil).for(:eks_secret_access_key) }
end
context 'access key is specified' do
let(:eks_enabled) { true }
before do
setting.eks_access_key_id = '123456789012'
end
it { is_expected.to allow_value('secret-access-key').for(:eks_secret_access_key) }
it { is_expected.not_to allow_value(nil).for(:eks_secret_access_key) }
......
......@@ -81,5 +81,40 @@
expect { subject }.to raise_error(described_class::MissingRoleError, 'AWS provisioning role not configured')
end
end
context 'with an instance profile attached to an IAM role' do
let(:sts_client) { Aws::STS::Client.new(region: region, stub_responses: true) }
let(:provision_role) { create(:aws_role, user: user, region: 'custom-region') }
before do
stub_application_setting(eks_access_key_id: nil)
stub_application_setting(eks_secret_access_key: nil)
expect(Aws::STS::Client).to receive(:new)
.with(region: region)
.and_return(sts_client)
expect(Aws::AssumeRoleCredentials).to receive(:new)
.with(
client: sts_client,
role_arn: provision_role.role_arn,
role_session_name: session_name,
external_id: provision_role.role_external_id,
policy: session_policy
).and_call_original
end
context 'provider is specified' do
let(:region) { provider.region }
let(:session_name) { "gitlab-eks-cluster-#{provider.cluster_id}-user-#{user.id}" }
let(:session_policy) { nil }
it 'returns credentials' do
expect(subject.access_key_id).to be_present
expect(subject.secret_access_key).to be_present
expect(subject.session_token).to be_present
end
end
end
end
end
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment