Unverified Commit 8819ed62 authored by Nick Jüttner's avatar Nick Jüttner Committed by GitHub
Browse files

Merge pull request #524 from linki/assume-role

AWS: Allow to assume another role
parents 68be6096 790a7829
No related merge requests found
Showing with 16 additions and 3 deletions
+16 -3
......@@ -94,7 +94,7 @@ func main() {
var p provider.Provider
switch cfg.Provider {
case "aws":
p, err = provider.NewAWSProvider(domainFilter, zoneIDFilter, zoneTypeFilter, cfg.DryRun)
p, err = provider.NewAWSProvider(domainFilter, zoneIDFilter, zoneTypeFilter, cfg.AWSAssumeRole, cfg.DryRun)
case "azure":
p, err = provider.NewAzureProvider(cfg.AzureConfigFile, domainFilter, zoneIDFilter, cfg.AzureResourceGroup, cfg.DryRun)
case "cloudflare":
......
......@@ -50,6 +50,7 @@ type Config struct {
DomainFilter []string
ZoneIDFilter []string
AWSZoneType string
AWSAssumeRole string
AzureConfigFile string
AzureResourceGroup string
CloudflareProxied bool
......@@ -92,6 +93,7 @@ var defaultConfig = &Config{
GoogleProject: "",
DomainFilter: []string{},
AWSZoneType: "",
AWSAssumeRole: "",
AzureConfigFile: "/etc/kubernetes/azure.json",
AzureResourceGroup: "",
CloudflareProxied: false,
......@@ -168,6 +170,7 @@ func (cfg *Config) ParseFlags(args []string) error {
app.Flag("zone-id-filter", "Filter target zones by hosted zone id; specify multiple times for multiple zones (optional)").Default("").StringsVar(&cfg.ZoneIDFilter)
app.Flag("google-project", "When using the Google provider, current project is auto-detected, when running on GCP. Specify other project with this. Must be specified when running outside GCP.").Default(defaultConfig.GoogleProject).StringVar(&cfg.GoogleProject)
app.Flag("aws-zone-type", "When using the AWS provider, filter for zones of this type (optional, options: public, private)").Default(defaultConfig.AWSZoneType).EnumVar(&cfg.AWSZoneType, "", "public", "private")
app.Flag("aws-assume-role", "When using the AWS provider, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123455567:role/external-dns` (optional)").Default(defaultConfig.AWSAssumeRole).StringVar(&cfg.AWSAssumeRole)
app.Flag("azure-config-file", "When using the Azure provider, specify the Azure configuration file (required when --provider=azure").Default(defaultConfig.AzureConfigFile).StringVar(&cfg.AzureConfigFile)
app.Flag("azure-resource-group", "When using the Azure provider, override the Azure resource group to use (optional)").Default(defaultConfig.AzureResourceGroup).StringVar(&cfg.AzureResourceGroup)
app.Flag("cloudflare-proxied", "When using the Cloudflare provider, specify if the proxy mode must be enabled (default: disabled)").BoolVar(&cfg.CloudflareProxied)
......
......@@ -40,6 +40,7 @@ var (
DomainFilter: []string{""},
ZoneIDFilter: []string{""},
AWSZoneType: "",
AWSAssumeRole: "",
AzureConfigFile: "/etc/kubernetes/azure.json",
AzureResourceGroup: "",
CloudflareProxied: false,
......@@ -76,6 +77,7 @@ var (
DomainFilter: []string{"example.org", "company.com"},
ZoneIDFilter: []string{"/hostedzone/ZTST1", "/hostedzone/ZTST2"},
AWSZoneType: "private",
AWSAssumeRole: "some-other-role",
AzureConfigFile: "azure.json",
AzureResourceGroup: "arg",
CloudflareProxied: true,
......@@ -147,6 +149,7 @@ func TestParseFlags(t *testing.T) {
"--zone-id-filter=/hostedzone/ZTST1",
"--zone-id-filter=/hostedzone/ZTST2",
"--aws-zone-type=private",
"--aws-assume-role=some-other-role",
"--policy=upsert-only",
"--registry=noop",
"--txt-owner-id=owner-1",
......@@ -188,6 +191,7 @@ func TestParseFlags(t *testing.T) {
"EXTERNAL_DNS_PDNS_API_KEY": "some-secret-key",
"EXTERNAL_DNS_ZONE_ID_FILTER": "/hostedzone/ZTST1\n/hostedzone/ZTST2",
"EXTERNAL_DNS_AWS_ZONE_TYPE": "private",
"EXTERNAL_DNS_AWS_ASSUME_ROLE": "some-other-role",
"EXTERNAL_DNS_POLICY": "upsert-only",
"EXTERNAL_DNS_REGISTRY": "noop",
"EXTERNAL_DNS_TXT_OWNER_ID": "owner-1",
......
......@@ -21,6 +21,7 @@ import (
"strings"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/route53"
"github.com/kubernetes-incubator/external-dns/endpoint"
......@@ -79,10 +80,10 @@ type AWSProvider struct {
}
// NewAWSProvider initializes a new AWS Route53 based Provider.
func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTypeFilter ZoneTypeFilter, dryRun bool) (*AWSProvider, error) {
func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTypeFilter ZoneTypeFilter, assumeRole string, dryRun bool) (*AWSProvider, error) {
config := aws.NewConfig()
config = config.WithHTTPClient(
config.WithHTTPClient(
instrumented_http.NewClient(config.HTTPClient, &instrumented_http.Callbacks{
PathProcessor: func(path string) string {
parts := strings.Split(path, "/")
......@@ -99,6 +100,11 @@ func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTy
return nil, err
}
if assumeRole != "" {
log.Infof("Assuming role: %s", assumeRole)
session.Config.WithCredentials(stscreds.NewCredentials(session, assumeRole))
}
provider := &AWSProvider{
client: route53.New(session),
domainFilter: domainFilter,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment