grpc: Add AWS IAM grpc credentials extension

api/envoy/config/grpc_credential/v2alpha/BUILD

@@ -2,6 +2,16 @@ licenses(["notice"])  # Apache 2
 
 load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library_internal")
 
+api_proto_library_internal(
+    name = "aws_iam",
+    srcs = ["aws_iam.proto"],
+)
+
+api_go_proto_library(
+    name = "aws_iam",
+    proto = ":aws_iam",
+)
+
 api_proto_library_internal(
     name = "file_based_metadata",
     srcs = ["file_based_metadata.proto"],

api/envoy/config/grpc_credential/v2alpha/aws_iam.proto

@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+// [#protodoc-title: Grpc Credentials AWS IAM]
+// Configuration for AWS IAM Grpc Credentials Plugin
+
+package envoy.config.grpc_credential.v2alpha;
+option java_package = "io.envoyproxy.envoy.config.grpc_credential.v2alpha";
+option java_multiple_files = true;
+option go_package = "v2alpha";
+
+import "validate/validate.proto";
+
+message AwsIamConfig {
+  // The `service namespace
+  // <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces>`_
+  // of the Grpc endpoint.
+  //
+  // Example: appmesh
+  string service_name = 1 [(validate.rules).string.min_bytes = 1];
+
+  // The `region <https://docs.aws.amazon.com/general/latest/gr/rande.html>`_ hosting the Grpc
+  // endpoint.
+  //
+  // Example: us-west-2
+  string region = 2;
+}

docs/root/intro/version_history.rst

@@ -8,6 +8,7 @@ Version history
 * config: removed deprecated_v1 sds_config from :ref:`Bootstrap config <config_overview_v2_bootstrap>`.
 * config: removed REST_LEGACY as a valid :ref:`ApiType <envoy_api_field_core.ApiConfigSource.api_type>`.
 * cors: added :ref:`filter_enabled & shadow_enabled RuntimeFractionalPercent flags <cors-runtime>` to filter.
+* grpc: added AWS IAM grpc credentials extension for AWS-managed xDS.
 * http: added new grpc_http1_reverse_bridge filter for converting gRPC requests into HTTP/1.1 requests.
 * tls: enabled TLS 1.3 on the server-side (non-FIPS builds).
 

include/envoy/grpc/BUILD

@@ -37,6 +37,7 @@ envoy_cc_library(
         "grpc",
     ],
     deps = [
+        "//include/envoy/api:api_interface",
         "@envoy_api//envoy/api/v2/core:grpc_service_cc",
     ],
 )

include/envoy/grpc/google_grpc_creds.h

@@ -2,6 +2,7 @@
 
 #include <memory>
 
+#include "envoy/api/api.h"
 #include "envoy/api/v2/core/grpc_service.pb.h"
 #include "envoy/common/pure.h"
 
@@ -10,6 +11,15 @@
 namespace Envoy {
 namespace Grpc {
 
+class GoogleGrpcCredentialsFactoryContext {
+public:
+  virtual ~GoogleGrpcCredentialsFactoryContext() = default;
+
+  virtual Api::Api& api() PURE;
+
+  virtual Event::TimeSystem& timeSystem() PURE;
+};
+
 /**
  * Interface for all Google gRPC credentials factories.
  */
@@ -25,11 +35,13 @@ class GoogleGrpcCredentialsFactory {
    * CompositeCallCredentials to combine multiple credentials.
    *
    * @param grpc_service_config contains configuration options
+   * @param context provides the factory's context
    * @return std::shared_ptr<grpc::ChannelCredentials> to be used to authenticate a Google gRPC
    * channel.
    */
   virtual std::shared_ptr<grpc::ChannelCredentials>
-  getChannelCredentials(const envoy::api::v2::core::GrpcService& grpc_service_config) PURE;
+  getChannelCredentials(const envoy::api::v2::core::GrpcService& grpc_service_config,
+                        GoogleGrpcCredentialsFactoryContext& context) PURE;
 
   /**
    * @return std::string the identifying name for a particular implementation of

source/common/aws/BUILD

@@ -0,0 +1,99 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "signer_lib",
+    hdrs = ["signer.h"],
+    deps = [
+        "//include/envoy/http:message_interface",
+    ],
+)
+
+envoy_cc_library(
+    name = "signer_impl_lib",
+    srcs = ["signer_impl.cc"],
+    hdrs = ["signer_impl.h"],
+    external_deps = ["ssl"],
+    deps = [
+        ":credentials_provider_lib",
+        ":region_provider_lib",
+        ":signer_lib",
+        "//source/common/buffer:buffer_lib",
+        "//source/common/common:assert_lib",
+        "//source/common/common:hex_lib",
+        "//source/common/common:logger_lib",
+        "//source/common/common:stack_array",
+        "//source/common/common:utility_lib",
+        "//source/common/http:headers_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "credentials_provider_lib",
+    hdrs = ["credentials_provider.h"],
+    external_deps = ["abseil_optional"],
+)
+
+envoy_cc_library(
+    name = "credentials_provider_impl_lib",
+    srcs = [
+        "credentials_provider_impl.cc",
+    ],
+    hdrs = [
+        "credentials_provider_impl.h",
+    ],
+    deps = [
+        ":credentials_provider_lib",
+        ":metadata_fetcher_impl_lib",
+        "//source/common/common:lock_guard_lib",
+        "//source/common/common:logger_lib",
+        "//source/common/common:utility_lib",
+        "//source/common/json:json_loader_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "metadata_fetcher_lib",
+    hdrs = ["metadata_fetcher.h"],
+    external_deps = ["abseil_optional"],
+    deps = ["//include/envoy/event:dispatcher_interface"],
+)
+
+envoy_cc_library(
+    name = "metadata_fetcher_impl_lib",
+    srcs = ["metadata_fetcher_impl.cc"],
+    hdrs = ["metadata_fetcher_impl.h"],
+    external_deps = ["grpc"],
+    deps = [
+        ":metadata_fetcher_lib",
+        "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/http:header_map_interface",
+        "//include/envoy/network:transport_socket_interface",
+        "//source/common/common:logger_lib",
+        "//source/common/http/http1:codec_lib",
+        "//source/common/network:filter_lib",
+        "//source/common/network:raw_buffer_socket_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "region_provider_lib",
+    hdrs = ["region_provider.h"],
+)
+
+envoy_cc_library(
+    name = "region_provider_impl_lib",
+    srcs = ["region_provider_impl.cc"],
+    hdrs = ["region_provider_impl.h"],
+    deps = [
+        ":region_provider_lib",
+        "//source/common/common:logger_lib",
+    ],
+)

source/common/aws/credentials_provider.h

@@ -0,0 +1,61 @@
+#pragma once
+
+#include <string>
+
+#include "envoy/common/pure.h"
+
+#include "absl/types/optional.h"
+
+namespace Envoy {
+namespace Aws {
+namespace Auth {
+
+class Credentials {
+public:
+  Credentials() = default;
+  ~Credentials() = default;
+
+  Credentials(const std::string& access_key_id, const std::string& secret_access_key)
+      : access_key_id_(access_key_id), secret_access_key_(secret_access_key) {}
+
+  Credentials(const std::string& access_key_id, const std::string& secret_access_key,
+              const std::string& session_token)
+      : access_key_id_(access_key_id), secret_access_key_(secret_access_key),
+        session_token_(session_token) {}
+
+  void setAccessKeyId(const std::string& access_key_id) {
+    access_key_id_ = absl::optional<std::string>(access_key_id);
+  }
+
+  const absl::optional<std::string>& accessKeyId() const { return access_key_id_; }
+
+  void setSecretAccessKey(const std::string& secret_key) {
+    secret_access_key_ = absl::optional<std::string>(secret_key);
+  }
+
+  const absl::optional<std::string>& secretAccessKey() const { return secret_access_key_; }
+
+  void setSessionToken(const std::string& session_token) {
+    session_token_ = absl::optional<std::string>(session_token);
+  }
+
+  const absl::optional<std::string>& sessionToken() const { return session_token_; }
+
+private:
+  absl::optional<std::string> access_key_id_;
+  absl::optional<std::string> secret_access_key_;
+  absl::optional<std::string> session_token_;
+};
+
+class CredentialsProvider {
+public:
+  virtual ~CredentialsProvider() = default;
+
+  virtual Credentials getCredentials() PURE;
+};
+
+typedef std::shared_ptr<CredentialsProvider> CredentialsProviderSharedPtr;
+
+} // namespace Auth
+} // namespace Aws
+} // namespace Envoy