Merge pull request #405 from haarchri/feature/AWSWebIdentityCredentials

feat(aws): implement AWSWebIdentityCredentials

Author: erhancagirici

examples/cluster/provider/provider-config-with-aws-identity.yaml

@@ -0,0 +1,43 @@
+apiVersion: kubernetes.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: kubernetes-provider
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: cluster-config
+      key: kubeconfig
+  identity:
+    source: InjectedIdentity
+    type: AWSWebIdentityCredentials
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-config
+  namespace: crossplane-system
+type: Opaque
+stringData:
+  # The cluster name must be the actual EKS cluster name or the full ARN.
+  # Examples:
+  #   - name: my-cluster-name
+  #   - name: arn:aws:eks:us-west-2:123456789012:cluster/my-cluster-name
+  kubeconfig: |
+    apiVersion: v1
+    kind: Config
+    clusters:
+    - cluster:
+        certificate-authority-data: LS0tLS1CRUdJTi...BASE64_ENCODED_CA...
+        server: https://ABCD1234EFGH5678.gr7.us-west-2.eks.amazonaws.com
+      name: eks-cluster
+    contexts:
+    - context:
+        cluster: eks-cluster
+        user: eks-user
+      name: eks-context
+    current-context: eks-context
+    users:
+    - name: eks-user
+      user: {}

examples/namespaced/provider/provider-config-with-aws-identity.yaml

@@ -0,0 +1,44 @@
+apiVersion: kubernetes.m.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: kubernetes-provider
+  namespace: crossplane-system
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: cluster-config
+      key: kubeconfig
+  identity:
+    source: InjectedIdentity
+    type: AWSWebIdentityCredentials
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-config
+  namespace: crossplane-system
+type: Opaque
+stringData:
+  # The cluster name must be the actual EKS cluster name or the full ARN.
+  # Examples:
+  #   - name: my-cluster-name
+  #   - name: arn:aws:eks:us-west-2:123456789012:cluster/my-cluster-name
+  kubeconfig: |
+    apiVersion: v1
+    kind: Config
+    clusters:
+    - cluster:
+        certificate-authority-data: LS0tLS1CRUdJTi...BASE64_ENCODED_CA...
+        server: https://ABCD1234EFGH5678.gr7.us-west-2.eks.amazonaws.com
+      name: eks-cluster
+    contexts:
+    - context:
+        cluster: eks-cluster
+        user: eks-user
+      name: eks-context
+    current-context: eks-context
+    users:
+    - name: eks-user
+      user: {}

go.mod

@@ -5,6 +5,10 @@ go 1.24.6
 require (
 	github.com/Azure/kubelogin v0.1.4
 	github.com/alecthomas/kingpin/v2 v2.4.0
+	github.com/aws/aws-sdk-go-v2 v1.39.4
+	github.com/aws/aws-sdk-go-v2/config v1.31.15
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.9
+	github.com/aws/smithy-go v1.23.1
 	github.com/crossplane/crossplane-runtime/v2 v2.0.0-rc.1
 	github.com/crossplane/crossplane-tools v0.0.0-20250731192036-00d407d8b7ec
 	github.com/google/cel-go v0.23.2
@@ -44,6 +48,15 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.19 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect

go.sum

@@ -36,6 +36,32 @@ github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b h1:mimo19zliBX/vS
 github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b/go.mod h1:fvzegU4vN3H1qMT+8wDmzjAcDONcgo2/SZ/TyfdUOFs=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
+github.com/aws/aws-sdk-go-v2 v1.39.4 h1:qTsQKcdQPHnfGYBBs+Btl8QwxJeoWcOcPcixK90mRhg=
+github.com/aws/aws-sdk-go-v2 v1.39.4/go.mod h1:yWSxrnioGUZ4WVv9TgMrNUeLV3PFESn/v+6T/Su8gnM=
+github.com/aws/aws-sdk-go-v2/config v1.31.15 h1:gE3M4xuNXfC/9bG4hyowGm/35uQTi7bUKeYs5e/6uvU=
+github.com/aws/aws-sdk-go-v2/config v1.31.15/go.mod h1:HvnvGJoE2I95KAIW8kkWVPJ4XhdrlvwJpV6pEzFQa8o=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.19 h1:Jc1zzwkSY1QbkEcLujwqRTXOdvW8ppND3jRBb/VhBQc=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.19/go.mod h1:DIfQ9fAk5H0pGtnqfqkbSIzky82qYnGvh06ASQXXg6A=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11 h1:X7X4YKb+c0rkI6d4uJ5tEMxXgCZ+jZ/D6mvkno8c8Uw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11/go.mod h1:EqM6vPZQsZHYvC4Cai35UDg/f5NCEU+vp0WfbVqVcZc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11 h1:7AANQZkF3ihM8fbdftpjhken0TP9sBzFbV/Ze/Y4HXA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11/go.mod h1:NTF4QCGkm6fzVwncpkFQqoquQyOolcyXfbpC98urj+c=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11 h1:ShdtWUZT37LCAA4Mw2kJAJtzaszfSHFb5n25sdcv4YE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11/go.mod h1:7bUb2sSr2MZ3M/N+VyETLTQtInemHXb/Fl3s8CLzm0Y=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 h1:xtuxji5CS0JknaXoACOunXOYOQzgfTvGAc9s2QdCJA4=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2/go.mod h1:zxwi0DIR0rcRcgdbl7E2MSOvxDyyXGBlScvBkARFaLQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11 h1:GpMf3z2KJa4RnJ0ew3Hac+hRFYLZ9DDjfgXjuW+pB54=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11/go.mod h1:6MZP3ZI4QQsgUCFTwMZA2V0sEriNQ8k2hmoHF3qjimQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.8 h1:M5nimZmugcZUO9wG7iVtROxPhiqyZX6ejS1lxlDPbTU=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.8/go.mod h1:mbef/pgKhtKRwrigPPs7SSSKZgytzP8PQ6P6JAAdqyM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 h1:S5GuJZpYxE0lKeMHKn+BRTz6PTFpgThyJ+5mYfux7BM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3/go.mod h1:X4OF+BTd7HIb3L+tc4UlWHVrpgwZZIVENU15pRDVTI0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.9 h1:Ekml5vGg6sHSZLZJQJagefnVe6PmqC2oiRkBq4F7fU0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.9/go.mod h1:/e15V+o1zFHWdH3u7lpI3rVBcxszktIKuHKCY2/py+k=
+github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M=
+github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=

package/crds/kubernetes.crossplane.io_providerconfigs.yaml

@@ -172,6 +172,7 @@ spec:
                     - AzureServicePrincipalCredentials
                     - AzureWorkloadIdentityCredentials
                     - UpboundTokens
+                    - AWSWebIdentityCredentials
                     type: string
                 required:
                 - source

package/crds/kubernetes.m.crossplane.io_clusterproviderconfigs.yaml

@@ -172,6 +172,7 @@ spec:
                     - AzureServicePrincipalCredentials
                     - AzureWorkloadIdentityCredentials
                     - UpboundTokens
+                    - AWSWebIdentityCredentials
                     type: string
                 required:
                 - source

package/crds/kubernetes.m.crossplane.io_providerconfigs.yaml

@@ -172,6 +172,7 @@ spec:
                     - AzureServicePrincipalCredentials
                     - AzureWorkloadIdentityCredentials
                     - UpboundTokens
+                    - AWSWebIdentityCredentials
                     type: string
                 required:
                 - source

pkg/kube/client/aws/aws.go

@@ -0,0 +1,165 @@
+/*
+Copyright 2025 The Crossplane Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package aws contains utilities for authenticating to EKS clusters.
+package aws
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+	"github.com/pkg/errors"
+	"k8s.io/client-go/rest"
+)
+
+const (
+	// clusterIDHeader is the header name for the cluster ID
+	clusterIDHeader = "x-k8s-aws-id"
+	// expireHeader is the header name for the expiration time
+	expireHeader = "X-Amz-Expires"
+	// tokenPrefix is the prefix for the EKS token
+	tokenPrefix = "k8s-aws-v1."
+	// tokenExpiration is the default expiration time for EKS tokens (15 minutes)
+	tokenExpiration = 900
+)
+
+// WrapRESTConfig configures the supplied REST config to use bearer tokens
+// fetched using AWS credentials chain for EKS authentication.
+// This uses AWS Web Identity / IRSA to assume a role that has access to the EKS cluster.
+// clusterNameFromKubeconfig is the cluster name from the kubeconfig (can be an ARN or plain name).
+func WrapRESTConfig(ctx context.Context, rc *rest.Config, clusterNameFromKubeconfig string) error {
+	// Extract cluster name from ARN if needed
+	clusterName, err := extractClusterNameFromARN(clusterNameFromKubeconfig)
+	if err != nil {
+		return errors.Wrap(err, "failed to extract cluster name from kubeconfig")
+	}
+
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		return errors.Wrap(err, "failed to load AWS config using default credentials chain")
+	}
+
+	// Create STS client with the credentials (which may already be assumed role credentials)
+	stsClient := sts.NewFromConfig(cfg)
+
+	// Create a token source that generates EKS tokens on demand
+	tokenSource := &eksTokenSource{
+		ctx:       ctx,
+		stsClient: stsClient,
+		clusterID: clusterName,
+	}
+
+	// Wrap the transport to inject the bearer token
+	rc.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+		return &bearerAuthRoundTripper{
+			source: tokenSource,
+			rt:     rt,
+		}
+	})
+
+	// Clear any exec provider since we're handling auth ourselves
+	rc.ExecProvider = nil
+
+	return nil
+}
+
+// extractClusterNameFromARN extracts the cluster name from an EKS cluster ARN
+// ARN format: arn:aws:eks:region:account:cluster/cluster-name
+func extractClusterNameFromARN(arnString string) (string, error) {
+	// Check if it's an ARN using AWS SDK
+	if !arn.IsARN(arnString) {
+		// Not an ARN, might be just the cluster name
+		return arnString, nil
+	}
+
+	// Parse ARN using AWS SDK
+	parsedARN, err := arn.Parse(arnString)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to parse ARN")
+	}
+
+	// EKS cluster ARNs have Resource in format "cluster/cluster-name"
+	// Split by '/' to get the cluster name
+	parts := strings.Split(parsedARN.Resource, "/")
+	if len(parts) < 2 {
+		return "", fmt.Errorf("invalid EKS cluster ARN resource format: %s", parsedARN.Resource)
+	}
+
+	return parts[len(parts)-1], nil
+}
+
+// eksTokenSource generates EKS authentication tokens using AWS STS
+type eksTokenSource struct {
+	ctx       context.Context
+	stsClient *sts.Client
+	clusterID string
+}
+
+// Token generates an EKS authentication token
+// This replicates the behavior of `aws eks get-token` command
+// The STS client uses credentials from the AWS default credentials chain,
+// which includes assumed role credentials from Web Identity/IRSA
+func (s *eksTokenSource) Token() (string, error) {
+	// Create a presigned request for GetCallerIdentity
+	// This is what EKS uses for authentication
+	// Default expiration is 15 minutes (900 seconds) which is what EKS expects
+	presigner := sts.NewPresignClient(s.stsClient)
+
+	// Create presigned request with cluster ID and expiration headers
+	// This matches the provider-aws implementation exactly
+	presignedReq, err := presigner.PresignGetCallerIdentity(s.ctx,
+		&sts.GetCallerIdentityInput{},
+		func(po *sts.PresignOptions) {
+			po.ClientOptions = []func(*sts.Options){
+				sts.WithAPIOptions(
+					smithyhttp.AddHeaderValue(clusterIDHeader, s.clusterID),
+					smithyhttp.AddHeaderValue(expireHeader, fmt.Sprintf("%d", tokenExpiration)),
+				),
+			}
+		})
+	if err != nil {
+		return "", errors.Wrap(err, "failed to presign GetCallerIdentity request")
+	}
+
+	// Encode the presigned URL as a base64 token with the EKS prefix
+	token := tokenPrefix + base64.RawURLEncoding.EncodeToString([]byte(presignedReq.URL))
+
+	return token, nil
+}
+
+// bearerAuthRoundTripper injects a bearer token into HTTP requests
+type bearerAuthRoundTripper struct {
+	source *eksTokenSource
+	rt     http.RoundTripper
+}
+
+// RoundTrip implements http.RoundTripper
+func (b *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	token, err := b.source.Token()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get EKS token")
+	}
+
+	// Clone the request and add the bearer token
+	reqCopy := req.Clone(req.Context())
+	reqCopy.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+	return b.rt.RoundTrip(reqCopy)
+}