Adding session tags & transitive tags to SecretStore definition (#2372)

* feat: added session tag capability to assume role

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to expect session tags and transitive tags structs
modified pkg/provider/aws/auth/auth.go to pass session tags if they exist

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* fix: make build errors (JSON serialization error)

modified apis/externalsecrets/v1beta1/secretstore_aws_types.go to include a new custom struct (Tag) used with SessionTags instead of []*sts.Tag
modified pkg/provider/aws/auth/auth.go to convert custom Tag struct to sts.Tag before passing to assume role API call

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* removed unnecessary commented out code

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 (#2366)

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.6.0...v4.6.1)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* :books: Update stability-support.md (#2363)

Staring 0.82, IBM Cloud Secrets Manager supports fetching secrets by name as well as ID.

Signed-off-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* feat: ran make reviewable tasks (except for docs)

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

* refractor: made addition of TransitiveTagKeys to setAssumeRoleOptions dependant to presence of SessionTags. So if user includes Transitive Tags in SecretStore definition without Session Tags, tags get ignored

Signed-off-by: Nima Fotouhi <fotouhi@live.com>

---------

Signed-off-by: Nima Fotouhi <fotouhi@live.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Idan Adar <iadar@il.ibm.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>

apis/externalsecrets/v1beta1/secretstore_aws_types.go

@@ -62,6 +62,11 @@ const (
 	AWSServiceParameterStore AWSServiceType = "ParameterStore"
 )
 
+type Tag struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
 // AWSProvider configures a store to sync secrets with AWS.
 type AWSProvider struct {
 	// Service defines which service should be used to fetch the secrets
@@ -86,4 +91,12 @@ type AWSProvider struct {
 
 	// AWS External ID set on assumed IAM roles
 	ExternalID string `json:"externalID,omitempty"`
+
+	// AWS STS assume role session tags
+	// +optional
+	SessionTags []*Tag `json:"sessionTags,omitempty"`
+
+	// AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore
+	// +optional
+	TransitiveTagKeys []*string `json:"transitiveTagKeys,omitempty"`
 }

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -101,6 +101,28 @@ func (in *AWSProvider) DeepCopyInto(out *AWSProvider) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.SessionTags != nil {
+		in, out := &in.SessionTags, &out.SessionTags
+		*out = make([]*Tag, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(Tag)
+				**out = **in
+			}
+		}
+	}
+	if in.TransitiveTagKeys != nil {
+		in, out := &in.TransitiveTagKeys, &out.TransitiveTagKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSProvider.
@@ -1923,6 +1945,21 @@ func (in *SourceRef) DeepCopy() *SourceRef {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Tag) DeepCopyInto(out *Tag) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tag.
+func (in *Tag) DeepCopy() *Tag {
+	if in == nil {
+		return nil
+	}
+	out := new(Tag)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TemplateFrom) DeepCopyInto(out *TemplateFrom) {
 	*out = *in
 	if in.ConfigMap != nil {

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -2057,6 +2057,25 @@ spec:
                         - SecretsManager
                         - ParameterStore
                         type: string
+                      sessionTags:
+                        description: AWS STS assume role session tags
+                        items:
+                          properties:
+                            key:
+                              type: string
+                            value:
+                              type: string
+                          required:
+                          - key
+                          - value
+                          type: object
+                        type: array
+                      transitiveTagKeys:
+                        description: AWS STS assume role transitive session tags.
+                          Required when multiple rules are used with SecretStore
+                        items:
+                          type: string
+                        type: array
                     required:
                     - region
                     - service

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -2057,6 +2057,25 @@ spec:
                         - SecretsManager
                         - ParameterStore
                         type: string
+                      sessionTags:
+                        description: AWS STS assume role session tags
+                        items:
+                          properties:
+                            key:
+                              type: string
+                            value:
+                              type: string
+                          required:
+                          - key
+                          - value
+                          type: object
+                        type: array
+                      transitiveTagKeys:
+                        description: AWS STS assume role transitive session tags.
+                          Required when multiple rules are used with SecretStore
+                        items:
+                          type: string
+                        type: array
                     required:
                     - region
                     - service

deploy/crds/bundle.yaml

@@ -1948,6 +1948,24 @@ spec:
                             - SecretsManager
                             - ParameterStore
                           type: string
+                        sessionTags:
+                          description: AWS STS assume role session tags
+                          items:
+                            properties:
+                              key:
+                                type: string
+                              value:
+                                type: string
+                            required:
+                              - key
+                              - value
+                            type: object
+                          type: array
+                        transitiveTagKeys:
+                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore
+                          items:
+                            type: string
+                          type: array
                       required:
                         - region
                         - service
@@ -5524,6 +5542,24 @@ spec:
                             - SecretsManager
                             - ParameterStore
                           type: string
+                        sessionTags:
+                          description: AWS STS assume role session tags
+                          items:
+                            properties:
+                              key:
+                                type: string
+                              value:
+                                type: string
+                            required:
+                              - key
+                              - value
+                            type: object
+                          type: array
+                        transitiveTagKeys:
+                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore
+                          items:
+                            type: string
+                          type: array
                       required:
                         - region
                         - service

docs/api/spec.md

@@ -241,6 +241,32 @@ string
 <p>AWS External ID set on assumed IAM roles</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>sessionTags</code></br>
+<em>
+<a href="#external-secrets.io/v1beta1.*github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1.Tag">
+[]*github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1.Tag
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AWS STS assume role session tags</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>transitiveTagKeys</code></br>
+<em>
+[]*string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1beta1.AWSServiceType">AWSServiceType
@@ -5102,6 +5128,40 @@ GeneratorRef
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1beta1.Tag">Tag
+</h3>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>key</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>value</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="external-secrets.io/v1beta1.TemplateEngineVersion">TemplateEngineVersion
 (<code>string</code> alias)</p></h3>
 <p>

pkg/provider/aws/auth/auth.go

@@ -127,13 +127,29 @@ func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client,
 	}
 
 	sessExtID := prov.ExternalID
+	sessTransitiveTagKeys := prov.TransitiveTagKeys
+	sessTags := make([]*sts.Tag, len(prov.SessionTags))
+	for i, tag := range prov.SessionTags {
+		sessTags[i] = &sts.Tag{
+			Key:   aws.String(tag.Key),
+			Value: aws.String(tag.Value),
+		}
+	}
 	if prov.Role != "" {
 		stsclient := assumeRoler(sess)
-		if sessExtID != "" {
-			var setExternalID = func(p *stscreds.AssumeRoleProvider) {
-				p.ExternalID = aws.String(sessExtID)
+		if sessExtID != "" || sessTags != nil {
+			var setAssumeRoleOptions = func(p *stscreds.AssumeRoleProvider) {
+				if sessExtID != "" {
+					p.ExternalID = aws.String(sessExtID)
+				}
+				if sessTags != nil {
+					p.Tags = sessTags
+					if len(sessTransitiveTagKeys) > 0 {
+						p.TransitiveTagKeys = sessTransitiveTagKeys
+					}
+				}
 			}
-			sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, prov.Role, setExternalID))
+			sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, prov.Role, setAssumeRoleOptions))
 		} else {
 			sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, prov.Role))
 		}