[8.19] Backport AWS cloud connectors credential helper (#48956)#49956
[8.19] Backport AWS cloud connectors credential helper (#48956)#49956olegsu wants to merge 12 commits intoelastic:8.19from
Conversation
olegsu
requested review from
khushijain21 and
leehinman
and removed request for
a team
botelastic
Bot
added
the
needs_team
🤖 GitHub commentsJust comment with:
|
|
cc @andrewkroh need you help to add team label pls |
orestisfl
added
Team:Elastic-Agent-Data-Plane
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
andrewkroh
added
the
Team:Security-Cloud Services
|
Update: using custom agentless image (with this changes) seems to work on 8.19. I will continue to test it today and update, please do not merge yet |
Backports the cloud connectors AWS implementation and the combined
External ID improvement from main to the 8.19 branch.
The cloud connectors flow enables agentless AWS integrations via a
2-step role chaining:
1. Assume the Elastic Global Role using a web identity token (OIDC)
2. Assume the customer's remote role using the combined External ID
(resourceID-externalIDPart) instead of separate ExternalID and
SourceIdentity fields, allowing remote trust policies to scope
access by specific cloud resources.
Adds UseCloudConnectors bool to ConfigAWS, the cloud_connectors.go
implementation, and full test coverage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cherry-picks x-pack/libbeat/common/aws/signer.go (new), x-pack/libbeat/common/aws/signer_test.go (new), x-pack/filebeat/input/httpjson/config_auth.go (auth.aws field added), x-pack/filebeat/input/httpjson/input.go (AWS SigV4 transport wiring), x-pack/filebeat/input/httpjson/input_test.go from main commit c1883b5. CEL input changes are excluded (httpjson-only backport). Original PR: elastic#47260
…tic#47712) Cherry-picks signer.go and signer_test.go fixes from main commit 183016c. Original PR: elastic#47712
olegsu
force-pushed
the
backport/aws-cloud-connectors-8.19
branch
from
973bab3 to
9d7af01
Compare
Fixes 11 lint issues triggered by the auth.aws backport: - signer_test.go: EqualValues -> Equal (testifylint) - input.go: %v -> %w in errorf (errorlint); //nolint for pre-existing net.DialTimeout, paths.Resolve, net.Dial (noctx/forbidigo) - input_test.go: _, _ = for unchecked io.ReadAll/w.Write (errcheck); //nolint for pre-existing logp.TestingSetup (staticcheck), logp.NewLogger (forbidigo), val.(string) type assertion (errcheck) - config_auth.go: //nolint for pre-existing google.CredentialsFromJSON deprecation (staticcheck) Pre-existing issues use //nolint directives to avoid churn; only newly introduced code is fixed substantively.
Log auth config state (nil/enabled/fields) in run() and newHTTPClient() to diagnose 403 Missing Authentication Token errors. Log credential resolution path and per-request signing in SignerTransport.
|
|
||
| # REQUIRED for all kinds | ||
| # Change summary; a 80ish characters long description of the change. | ||
| summary: Add AWS auth method for CEL and HTTP JSON inputs. |
There was a problem hiding this comment.
We are missing the CEL changes from #47260 (on my first review I assumed those changes were going to be back-ported on a separate PR).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cherry-picks CEL input changes excluded from the original httpjson-only backport: x-pack/filebeat/input/cel/config_auth.go, x-pack/filebeat/input/cel/input.go, x-pack/filebeat/input/cel/input_test.go from main commit c1883b5. Original PR: elastic#47260 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add required explanations to all //nolint directives added by the auth.aws backport, and suppress the pre-existing staticcheck deprecation warning in cel/config_auth.go. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CI uses --whole-files so touching these files surfaces all pre-existing issues. Add nolint directives with explanations for: - errcheck: type assertions src.(*source) (check-type-assertions:true) - errcheck: unchecked w.Write/io.ReadAll/enc.Encode in test handlers - forbidigo: paths.Resolve and logp.NewLogger - noctx: net.Dial (unix socket) and net.DialTimeout - nolintlint: remove unused directive before tokenAuthHandler Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
I run a complete test today on 2 integrations with many changes to verify the expected behavior I also used a local package of the changes in the aws integration , thanks @seanrathier!
Test Matrix
|
There was a problem hiding this comment.
Thanks for doing the end-to-end test with all the commits together, that's really valuable for validating that the pieces work as a whole on 8.19. I compared every file in this PR against the corresponding file on main and found that the core AWS code (cloud_connectors.go, cloud_connectors_test.go, signer.go, signer_test.go, credentials_test.go) is identical to main, which is great.
However, the input files (cel and httpjson) have accumulated 10s of nolint directives, a %v vs %w error wrapping fix, _, _ = errcheck suppressions, and a new package comment on cel/input.go that don't exist on main. These were needed because golangci-lint's --whole-files mode flagged pre-existing issues when the backport touched these files.
The lint CI checks are not mandatory for merging, so these extra changes shouldn't be included in a backport, they make it difficult to verify that the already-reviewed code from main is still functionally the same.
I'd recommend merging these as separate backport PRs, one per source PR, using the original merge commits:
c1883b58ff # #47260 - AWS auth method
183016ce92 # #47712 - signer fix
f909d4fb70 # #48956 - combined External ID
The standard way to do this is the Mergify backport command (@mergifyio backport 8.19) on each original PR. This produces one backport PR per source PR, making each independently verifiable. If any cherry-pick has a merge conflict, the resolution is scoped to that PR and easy to review.
Any pre-existing lint issues surfaced by --whole-files should be left alone, the lint CI is advisory and won't block the merge. If there are real lint issues worth fixing, those should go to main first as an isolated PR and then be backported independently. This preserves the invariant that main is always a superset of release branches.
|
Thanks for the review @andrewkroh I will start with the suggested approach and will close this pr at the end |
|
Closing now as all cherry-picks backports merged |
4 participants
Context
We want to migrate integrations to use
var_groups- elastic/integrations#16985.The backport allow us to continue supporting 8.19 version and any future changes as well.
Summary
Manual backport of #48956 to the 8.19 branch.
Adds AWS cloud connectors credential helper support — a two-step STS role-chaining flow for OIDC/JWT-based federation used by the agentless controller:
AssumeRoleWithWebIdentityusing an ID token file (Elastic global role)AssumeRoleusing the intermediate credentials (customer role)Changes
x-pack/libbeat/common/aws/cloud_connectors.go— new credential helper implementing the chainx-pack/libbeat/common/aws/cloud_connectors_test.go— unit tests for the helperx-pack/libbeat/common/aws/credentials.go— wire in cloud connectors path viaUseCloudConnectorsconfig flagx-pack/libbeat/common/aws/credentials_test.go— integration smoke test🤖 Generated with Claude Code