Skip to content

grpc: Add AWS IAM grpc credentials extension #5546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 8 commits into from
Closed

grpc: Add AWS IAM grpc credentials extension #5546

wants to merge 8 commits into from

Conversation

lavignes
Copy link
Member

@lavignes lavignes commented Jan 8, 2019

grpc: Add AWS IAM grpc credentials extension

Description: As part of leveraging Envoy in AWS App Mesh, we implemented a gRPC credentials extension that uses AWS IAM auth. Our original implementation added a dependency on the AWS SDK and libcurl to Envoy. This implementation leverages components within Envoy to fetch credentials from various sources and sign xDS requests for communicating with our App Mesh envoy management server. There are a few more details in #5215.
The request signer and credential providers themselves are reusable components that could be used to implement other extensions that need to authenticate with AWS services.
Risk Level: Medium
Testing: Added unit tests, + manual testing. Planning to add an integration test on the extension.
Docs Changes: Added in new protos.
Release Notes: Added line about added extension.

@lavignes
grpc: add context to grpc credentials factory
561b1fd 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@lavignes
Add AWS Sigv4 signer
7f1d1e1 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@lavignes
grpc: Add AWS IAM grpc credentials extension
7d3727d 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@lavignes
docs: added version-history line
35e84a1 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@lavignes
Add external dep on signer
b53c163 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@lavignes
grpc: Fix google async client tests
d18c246 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@lavignes
Fix visibility for aws auth tests
e5a09f6 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@lavignes
Potentially fix macOS build
f57e081 
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
@htuch htuch self-assigned this Jan 9, 2019
@htuch
Copy link
Member

htuch commented Jan 9, 2019

@lavignes thanks for this contribution. I have two high level structural comments before diving into the detail:

  1. Does source/common/aws belong in extensions instead, given this is a gRPC credential extension?
  2. The PR is a great WiP and reference, but for review I'd like this to be broken down into separate PRs. Small PRs are great for all the usual reasons, we'll be able to merge your code faster, review faster and be happier as maintainers if we can do that. Can you propose a patch series to make this happen?

@htuch
Copy link
Member

htuch commented Jan 9, 2019

Also, quick aside; we're about to gain libcurl as a transitive dependency necessary for OpenCensus, see #5387.

@ggreenway
Copy link
Member

Does source/common/aws belong in extensions instead, given this is a gRPC credential extension?

+1 to this. This should definitely live in extentions, with appropriate interfaces for common code to use it.

@lavignes
Copy link
Member Author

@htuch

Does source/common/aws belong in extensions instead, given this is a gRPC credential extension?

This is a result of the earlier version of this code. We had to make changes to Main to initialize the AWS SDK. Easy enough to move to source/extensions. I think there is potential to use some of these classes outside of just this extension. So that was also part of the reasoning.

I'd like this to be broken down into separate PRs... Can you propose a patch series to make this happen?

Yeah. I honestly didn't realize how big this got until I was preparing the PR. I totally agree. How about:

  1. PR for adding the AWS signer impl and the interfaces of its dependencies.
  2. PR for the AWS IAM credential provider impls and the interface for the HTTP client.
  3. PR for the HTTP client impl. Im definitely interested in using curl if possible.
  4. PR for the actual AWS IAM grpc creds extension

?

@htuch
Copy link
Member

htuch commented Jan 11, 2019

@htuch

Does source/common/aws belong in extensions instead, given this is a gRPC credential extension?

This is a result of the earlier version of this code. We had to make changes to Main to initialize the AWS SDK. Easy enough to move to source/extensions. I think there is potential to use some of these classes outside of just this extension. So that was also part of the reasoning.

There are common directories under source/extensions that might suit this if you want to reuse across extensions, e.g. you could have source/extensions/filters/http/common/aws for cross-extension common code.

I'd like this to be broken down into separate PRs... Can you propose a patch series to make this happen?

Yeah. I honestly didn't realize how big this got until I was preparing the PR. I totally agree. How about:

  1. PR for adding the AWS signer impl and the interfaces of its dependencies.
  2. PR for the AWS IAM credential provider impls and the interface for the HTTP client.
  3. PR for the HTTP client impl. Im definitely interested in using curl if possible.
  4. PR for the actual AWS IAM grpc creds extension

?

This seems a reasonable breakdown, thanks.

As an aside, I'm curious if you folks through about making the Envoy independent parts a standalone library that other projects could consume (who don't need the full AWS SDK). The upside if you do that is you don't need us to review that code and get more reuse ;) OTOH, it seems reasonably scoped for an extension if it's not going to grow a ton, so happy to review as is.

@lavignes lavignes mentioned this pull request Jan 12, 2019
Merged
@lavignes lavignes closed this Jan 14, 2019
htuch pushed a commit that referenced this pull request Jan 23, 2019
@lavignes @htuch
Add AWS http request signer (#5580)
040acac 
As part of leveraging Envoy in AWS App Mesh, we implemented a gRPC credentials extension that uses AWS IAM auth. To be able to use authenticate gRPC requests with AWS IAM credentials, we needed to add a code to Envoy to sign HTTP requests. More high-level details in #5215.

I opened up a prior PR: #5546 which was admittedly too large and unwieldy. This is part 1 of a series of smaller patches needed to add our gRPC authentication extension to Envoy.

Risk Level: Low
Testing: Unit tests for this API. This has also been verified to work when communicating with App Mesh.

Signed-off-by: Scott LaVigne <lavignes@amazon.com>
danzh2010 pushed a commit to danzh2010/envoy that referenced this pull request Jan 24, 2019
@lavignes @htuch
Add AWS http request signer (envoyproxy#5580)
7294367 
As part of leveraging Envoy in AWS App Mesh, we implemented a gRPC credentials extension that uses AWS IAM auth. To be able to use authenticate gRPC requests with AWS IAM credentials, we needed to add a code to Envoy to sign HTTP requests. More high-level details in envoyproxy#5215.

I opened up a prior PR: envoyproxy#5546 which was admittedly too large and unwieldy. This is part 1 of a series of smaller patches needed to add our gRPC authentication extension to Envoy.

Risk Level: Low
Testing: Unit tests for this API. This has also been verified to work when communicating with App Mesh.

Signed-off-by: Scott LaVigne <lavignes@amazon.com>

Signed-off-by: Dan Zhang <danzh@google.com>
danzh2010 pushed a commit to danzh2010/envoy that referenced this pull request Jan 31, 2019
@lavignes @danzh1989
Add AWS http request signer (envoyproxy#5580)
6fcdb99 
As part of leveraging Envoy in AWS App Mesh, we implemented a gRPC credentials extension that uses AWS IAM auth. To be able to use authenticate gRPC requests with AWS IAM credentials, we needed to add a code to Envoy to sign HTTP requests. More high-level details in envoyproxy#5215.

I opened up a prior PR: envoyproxy#5546 which was admittedly too large and unwieldy. This is part 1 of a series of smaller patches needed to add our gRPC authentication extension to Envoy.

Risk Level: Low
Testing: Unit tests for this API. This has also been verified to work when communicating with App Mesh.

Signed-off-by: Scott LaVigne <lavignes@amazon.com>

Signed-off-by: Scott LaVigne <1406859+lavignes@users.noreply.github.com>
@lavignes lavignes mentioned this pull request Feb 13, 2019
Closed
fredlas pushed a commit to fredlas/envoy that referenced this pull request Mar 5, 2019
@lavignes @fredlas
Add AWS http request signer (envoyproxy#5580)
4bec260 
As part of leveraging Envoy in AWS App Mesh, we implemented a gRPC credentials extension that uses AWS IAM auth. To be able to use authenticate gRPC requests with AWS IAM credentials, we needed to add a code to Envoy to sign HTTP requests. More high-level details in envoyproxy#5215.

I opened up a prior PR: envoyproxy#5546 which was admittedly too large and unwieldy. This is part 1 of a series of smaller patches needed to add our gRPC authentication extension to Envoy.

Risk Level: Low
Testing: Unit tests for this API. This has also been verified to work when communicating with App Mesh.

Signed-off-by: Scott LaVigne <lavignes@amazon.com>
Signed-off-by: Fred Douglas <fredlas@google.com>
@yuval-k yuval-k mentioned this pull request Apr 16, 2019
Closed
@ivitjuk ivitjuk mentioned this pull request Jun 5, 2019
Merged
@ivitjuk ivitjuk mentioned this pull request Jul 8, 2019
Merged
@lavignes lavignes mentioned this pull request Jan 20, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@htuch htuch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lavignes @htuch @ggreenway