handle service account creds for aws eks cluster (#23)

helm-chart/deepfence-cloud-scanner/values.yaml

@@ -51,8 +51,9 @@ logLevel: info
 cloudAuditLogIDs: ""
 
 # Only applicable in AWS
-# Must be one of "Ec2InstanceMetadata", "EcsContainer", "Environment"
-awsCredentialSource: "Ec2InstanceMetadata"
+# Must be one of "Ec2InstanceMetadata", "EcsContainer", "Environment" "ServiceAccount"
+# service account needs special handling
+awsCredentialSource: "ServiceAccount"
 
 imagePullSecrets: []
 nameOverride: ""

main.go

@@ -90,8 +90,11 @@ func main() {
 
 	switch config.CloudProvider {
 	case util.CloudProviderAWS:
-		if config.AWSCredentialSource != "EcsContainer" && config.AWSCredentialSource != "Ec2InstanceMetadata" && config.AWSCredentialSource != "Environment" {
-			log.Fatal().Msgf("invalid AWS_CREDENTIAL_SOURCE - should be one of EcsContainer, Ec2InstanceMetadata, Environment")
+		if config.AWSCredentialSource != "EcsContainer" &&
+			config.AWSCredentialSource != "Ec2InstanceMetadata" &&
+			config.AWSCredentialSource != "Environment" &&
+			config.AWSCredentialSource != "ServiceAccount" {
+			log.Fatal().Msgf("invalid AWS_CREDENTIAL_SOURCE - should be one of EcsContainer, Ec2InstanceMetadata, Environment, ServiceAccount")
 		}
 		if config.IsOrganizationDeployment && config.RoleName == "" {
 			log.Fatal().Msgf("ROLE_NAME is required in aws installation")

service/service.go

@@ -455,13 +455,20 @@ func processAwsCredentials(c *ComplianceScanService) {
 	var steampipeConfigFile string
 	var awsCredentialsFile string
 
+	if c.config.AWSCredentialSource == "ServiceAccount" {
+		awsCredentialsFile += "[default]\nrole_arn = " + os.Getenv("AWS_ROLE_ARN") + "\nweb_identity_token_file = " + os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") + "\n"
+	}
+
 	steampipeConfigFile = "connection \"aws_all\" {\n  type = \"aggregator\" \n plugin      = \"" + util.SteampipeAWSPluginVersion + "\"\n  connections = [\"aws_*\"] \n} \n"
 	for _, accId := range allAccountIDs {
 		if c.config.RoleName == "" {
 			steampipeConfigFile += "\nconnection \"aws_" + accId + "\" {\n  plugin = \"" + util.SteampipeAWSPluginVersion + "\"\n  " + regionString + "  max_error_retry_attempts = 10\n  ignore_error_codes = [\"AccessDenied\", \"AccessDeniedException\", \"NotAuthorized\", \"UnauthorizedOperation\", \"AuthorizationError\"]\n}\n"
 		} else {
 			if accId == c.config.DeployedAccountID {
 				steampipeConfigFile += "\nconnection \"aws_" + accId + "\" {\n  plugin = \"" + util.SteampipeAWSPluginVersion + "\"\n  " + regionString + "  max_error_retry_attempts = 10\n  ignore_error_codes = [\"AccessDenied\", \"AccessDeniedException\", \"NotAuthorized\", \"UnauthorizedOperation\", \"AuthorizationError\"]\n}\n"
+			} else if c.config.AWSCredentialSource == "ServiceAccount" {
+				awsCredentialsFile += "\n[profile_" + accId + "]\nrole_arn = arn:aws:iam::" + accId + ":role/" + c.config.RoleName + "\nsource_profile = default\n"
+				steampipeConfigFile += "\nconnection \"aws_" + accId + "\" {\n  plugin = \"" + util.SteampipeAWSPluginVersion + "\"\n  profile = \"profile_" + accId + "\"\n  " + regionString + "  max_error_retry_attempts = 10\n  ignore_error_codes = [\"AccessDenied\", \"AccessDeniedException\", \"NotAuthorized\", \"UnauthorizedOperation\", \"AuthorizationError\"]\n}\n"
 			} else {
 				awsCredentialsFile += "\n[profile_" + accId + "]\nrole_arn = arn:aws:iam::" + accId + ":role/" + c.config.RoleName + "\ncredential_source = " + c.config.AWSCredentialSource + "\n"
 				steampipeConfigFile += "\nconnection \"aws_" + accId + "\" {\n  plugin = \"" + util.SteampipeAWSPluginVersion + "\"\n  profile = \"profile_" + accId + "\"\n  " + regionString + "  max_error_retry_attempts = 10\n  ignore_error_codes = [\"AccessDenied\", \"AccessDeniedException\", \"NotAuthorized\", \"UnauthorizedOperation\", \"AuthorizationError\"]\n}\n"