Add AWS IAM auth method (#166)

Author: dbnicholson

Diff for: README.md

@@ -75,6 +75,23 @@ You enter your Vault Kubernetes auth `role`. The JWT will be automatically retri
 mounted secret volume (`/var/run/secrets/kubernetes.io/serviceaccount/token`). This assumes,
 that the jenkins is running in Kubernetes Pod with a Service Account attached.
 
+#### Vault AWS IAM Credential
+
+![AWS IAM Credential](docs/images/aws_iam_credential.png)
+
+Authenticate to Vault using the aws auth method with the
+[IAM](https://www.vaultproject.io/docs/auth/aws#iam-auth-method)
+workflow. The AWS credentials will be automatically retrieved from one
+of [several standard
+locations](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html).
+The typical use case would be Jenkins master running on an AWS EC2
+instance with the credentials acquired from the [instance
+metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials).
+Optionally enter your AWS IAM auth `role` name and Vault AWS auth
+`mount` path. If the `role` is not provided, Vault will determine it
+from the principal in the IAM identity. If the `mount` path is not
+provided, it defaults to `aws`.
+
 #### Vault Token Credential
 
 ![Token Credential](docs/images/token_credential.png)
@@ -224,7 +241,7 @@ credentials:
 
 See [handling secrets section](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc) in JCasC documentation for better security.
 
-You can also configure `VaultGithubTokenCredential`, or `VautGCPCredential` or `VaultAppRoleCredential`
+You can also configure `VaultGithubTokenCredential`, `VaultGCPCredential`, `VaultAppRoleCredential` or `VaultAwsIamCredential`.
 
 If you are unsure about how to do it from `yaml`. You can still use the UI to configure credentials.  
 After you configured Credentials and the Global Vault configuration.  
@@ -242,6 +259,8 @@ The secret source for JCasC is configured via environment variables as way to ge
 - The environment variable `CASC_VAULT_APPROLE` must be present, if token is not used and U/P not used. (Vault AppRole ID.)
 - The environment variable `CASC_VAULT_APPROLE_SECRET` must be present, it token is not used and U/P not used. (Vault AppRole Secret ID.)
 - The environment variable `CASC_VAULT_KUBERNETES_ROLE` must be present, if you want to use Kubernetes Service Account. (Vault Kubernetes Role.)
+- The environment variable `CASC_VAULT_AWS_IAM_ROLE` must be present, if you want to use AWS IAM authentiation. (Vault AWS IAM Role.)
+- The environment variable `CASC_VAULT_AWS_IAM_SERVER_ID` must be present when using AWS IAM authentication and the Vault auth method requires a value for the `X-Vault-AWS-IAM-Server-ID` header. (Vault AWS IAM Server ID.)
 - The environment variable `CASC_VAULT_TOKEN` must be present, if U/P is not used. (Vault token.)
 - The environment variable `CASC_VAULT_PATHS` must be present. (Comma separated vault key paths. For example, `secret/jenkins,secret/admin`.)
 - The environment variable `CASC_VAULT_URL` must be present. (Vault url, including port number.)
@@ -253,7 +272,7 @@ The secret source for JCasC is configured via environment variables as way to ge
 - The environment variable `CASC_VAULT_ENGINE_VERSION` is optional. If unset, your vault path is assumed to be using kv version 2. If your vault path uses engine version 1, set this variable to `1`.
 - The issued token should have read access to vault path `auth/token/lookup-self` in order to determine its expiration time. JCasC will re-issue a token if its expiration is reached (except for `CASC_VAULT_TOKEN`).
 
-If the environment variables `CASC_VAULT_URL` and `CASC_VAULT_PATHS` are present, JCasC will try to gather initial secrets from Vault. However for it to work properly there is a need for authentication by either the combination of `CASC_VAULT_USER` and `CASC_VAULT_PW`, a `CASC_VAULT_TOKEN`, the combination of `CASC_VAULT_APPROLE` and `CASC_VAULT_APPROLE_SECRET`, or a `CASC_VAULT_KUBERNETES_ROLE`. The authenticated user must have at least read access.
+If the environment variables `CASC_VAULT_URL` and `CASC_VAULT_PATHS` are present, JCasC will try to gather initial secrets from Vault. However for it to work properly there is a need for authentication by either the combination of `CASC_VAULT_USER` and `CASC_VAULT_PW`, a `CASC_VAULT_TOKEN`, the combination of `CASC_VAULT_APPROLE` and `CASC_VAULT_APPROLE_SECRET`, a `CASC_VAULT_KUBERNETES_ROLE`, or a `CASC_VAULT_AWS_IAM_ROLE`. The authenticated user must have at least read access.
 
 You can also provide a `CASC_VAULT_FILE` environment variable where you load the secrets from a file.
 

Diff for: docs/images/aws_iam_credential.png

@@ -139,6 +139,18 @@
       <artifactId>configuration-as-code</artifactId>
       <optional>true</optional>
     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>aws-java-sdk</artifactId>
+      <version>1.11.955</version>
+      <optional>true</optional>
+      <exclusions>
+        <exclusion>
+          <groupId>joda-time</groupId>
+          <artifactId>joda-time</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
     <!-- Test Dependencies -->
     <dependency>
       <groupId>io.jenkins.configuration-as-code</groupId>

Diff for: pom.xml

@@ -0,0 +1,118 @@
+package com.datapipe.jenkins.vault;
+
+import com.amazonaws.DefaultRequest;
+import com.amazonaws.auth.AWS4Signer;
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
+import com.amazonaws.http.HttpMethodName;
+import com.amazonaws.util.RuntimeHttpUtils;
+import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.api.Auth;
+import com.bettercloud.vault.json.JsonArray;
+import com.bettercloud.vault.json.JsonObject;
+import com.datapipe.jenkins.vault.exception.VaultPluginException;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Util;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringUtils;
+
+public class AwsHelper {
+
+    private final static Logger LOGGER = Logger.getLogger(AwsHelper.class.getName());
+
+    @NonNull
+    public static String getToken(@NonNull Auth auth, @CheckForNull AWSCredentials credentials,
+                                  @CheckForNull String role, @CheckForNull String serverIdValue,
+                                  @CheckForNull String mountPath) throws VaultPluginException {
+        final EncodedIdentityRequest request;
+        try {
+            request = new EncodedIdentityRequest(credentials, serverIdValue);
+        } catch (IOException | URISyntaxException e) {
+            throw new VaultPluginException("could not get IAM request from AWS metadata", e);
+        }
+
+        // Convert empty role and mount to null so loginByAwsIam uses the defaults
+        final String requestRole = Util.fixEmptyAndTrim(role);
+        final String requestMountPath = Util.fixEmptyAndTrim(mountPath);
+        try {
+            return auth.loginByAwsIam(requestRole, request.encodedUrl, request.encodedBody,
+                                      request.encodedHeaders, requestMountPath)
+                .getAuthClientToken();
+        } catch (VaultException e) {
+            throw new VaultPluginException("could not log in into vault", e);
+        }
+    }
+
+    private static class EncodedIdentityRequest {
+
+        @NonNull
+        public final String encodedHeaders;
+
+        @NonNull
+        public final String encodedBody;
+
+        @NonNull
+        public final String encodedUrl;
+
+        private static final String data = "Action=GetCallerIdentity&Version=2011-06-15";
+        private static final String endpoint = "https://sts.amazonaws.com";
+
+        EncodedIdentityRequest(@CheckForNull AWSCredentials credentials, @CheckForNull String serverIdValue) throws IOException, URISyntaxException {
+            LOGGER.fine("Creating GetCallerIdentity request");
+            final DefaultRequest request = new DefaultRequest("sts");
+            request.addHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
+            if (StringUtils.isNotEmpty(serverIdValue)) {
+                request.addHeader("X-Vault-AWS-IAM-Server-ID", serverIdValue);
+            }
+            request.setContent(new ByteArrayInputStream(this.data.getBytes(StandardCharsets.UTF_8)));
+            request.setHttpMethod(HttpMethodName.POST);
+            request.setEndpoint(new URI(this.endpoint));
+
+            if (credentials == null) {
+                LOGGER.fine("Acquiring AWS credentials");
+                credentials = new DefaultAWSCredentialsProviderChain().getCredentials();
+                LOGGER.log(Level.FINER, "AWS Access Key ID: {0}", credentials.getAWSAccessKeyId());
+            }
+
+            LOGGER.fine("Signing GetCallerIdentity request");
+            final AWS4Signer aws4Signer = new AWS4Signer();
+            aws4Signer.setServiceName(request.getServiceName());
+            aws4Signer.sign(request, credentials);
+
+            final Base64.Encoder encoder = Base64.getEncoder();
+
+            final JsonObject headers = new JsonObject();
+            final Map<String, String> headersMap = getHeadersMap(request);
+            for (Map.Entry<String, String> entry : headersMap.entrySet()) {
+                final JsonArray array = new JsonArray();
+                array.add(entry.getValue());
+                headers.add(entry.getKey(), array);
+            }
+            encodedHeaders = encoder.encodeToString(headers.toString().getBytes(StandardCharsets.UTF_8));
+
+            final byte[] body = IOUtils.toByteArray(request.getContent());
+            encodedBody = encoder.encodeToString(body);
+
+            final URL url = RuntimeHttpUtils.convertRequestToUrl(request, true, true);
+            encodedUrl = encoder.encodeToString(url.toString().getBytes(StandardCharsets.UTF_8));
+        }
+
+        // DefaultRequest.getHeaders() really returns a Map<String,String>, but for some reason it
+        // comes back as a bare Map
+        @SuppressWarnings("unchecked")
+        private static Map<String, String> getHeadersMap(DefaultRequest request) {
+            return request.getHeaders();
+        }
+    }
+}

Diff for: src/main/java/com/datapipe/jenkins/vault/AwsHelper.java

@@ -0,0 +1,76 @@
+package com.datapipe.jenkins.vault.credentials;
+
+import com.bettercloud.vault.api.Auth;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.datapipe.jenkins.vault.AwsHelper;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.DataBoundSetter;
+
+import static org.apache.commons.lang.StringUtils.defaultIfBlank;
+
+public class VaultAwsIamCredential extends AbstractAuthenticatingVaultTokenCredential {
+
+    @NonNull
+    private String role = "";
+
+    @NonNull
+    private String serverId = "";
+
+    @NonNull
+    private String mountPath = DescriptorImpl.defaultMountPath;
+
+    @DataBoundConstructor
+    public VaultAwsIamCredential(@CheckForNull CredentialsScope scope, @CheckForNull String id,
+                                 @CheckForNull String description) {
+        super(scope, id, description);
+    }
+
+    @NonNull
+    public String getRole() {
+        return this.role;
+    }
+
+    @DataBoundSetter
+    public void setRole(@NonNull String role) {
+        this.role = role;
+    }
+
+    @NonNull
+    public String getServerId() {
+        return this.serverId;
+    }
+
+    @DataBoundSetter
+    public void setServerId(@NonNull String serverId) {
+        this.serverId = serverId;
+    }
+
+    @NonNull
+    public String getMountPath() {
+        return this.mountPath;
+    }
+
+    @DataBoundSetter
+    public void setMountPath(@NonNull String mountPath) {
+        this.mountPath = defaultIfBlank(mountPath, DescriptorImpl.defaultMountPath);
+    }
+
+    @Override
+    public String getToken(Auth auth) {
+        return AwsHelper.getToken(auth, null, this.role, this.serverId, this.mountPath);
+    }
+
+    @Extension
+    public static class DescriptorImpl extends BaseStandardCredentialsDescriptor {
+        @NonNull
+        @Override
+        public String getDisplayName() {
+            return "Vault AWS IAM Credential";
+        }
+
+        public static final String defaultMountPath = "aws";
+    }
+}

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential.java

@@ -18,4 +18,7 @@ static VaultAuthenticator of(VaultUsernamePassword vaultUsernamePassword, String
     static VaultAuthenticator of(VaultKubernetes vaultKubernetes, String mountPath) {
         return new VaultKubernetesAuthenticator(vaultKubernetes, mountPath);
     }
+    static VaultAuthenticator of(VaultAwsIam vaultAwsIam, String mountPath) {
+        return new VaultAwsIamAuthenticator(vaultAwsIam, mountPath);
+    }
 }

Diff for: src/main/java/com/datapipe/jenkins/vault/jcasc/secrets/VaultAuthenticator.java

@@ -0,0 +1,36 @@
+package com.datapipe.jenkins.vault.jcasc.secrets;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import java.util.Objects;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.ProtectedExternally;
+
+@Restricted(ProtectedExternally.class)
+public class VaultAwsIam {
+
+    @NonNull
+    private String role;
+
+    @NonNull
+    private String serverId;
+
+    public VaultAwsIam(@NonNull String role, @NonNull String serverId) {
+        this.role = role;
+        this.serverId = serverId;
+    }
+
+    @NonNull
+    public String getRole() {
+        return role;
+    }
+
+    @NonNull
+    public String getServerId() {
+        return serverId;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(role, serverId);
+    }
+}

Diff for: src/main/java/com/datapipe/jenkins/vault/jcasc/secrets/VaultAwsIam.java

@@ -0,0 +1,49 @@
+package com.datapipe.jenkins.vault.jcasc.secrets;
+
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.VaultException;
+import com.datapipe.jenkins.vault.AwsHelper;
+import com.datapipe.jenkins.vault.exception.VaultPluginException;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import java.util.Objects;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class VaultAwsIamAuthenticator extends VaultAuthenticatorWithExpiration {
+    private final static Logger LOGGER = Logger.getLogger(VaultAwsIamAuthenticator.class.getName());
+
+    @NonNull
+    private VaultAwsIam awsIam;
+
+    @NonNull
+    private String mountPath;
+
+    public VaultAwsIamAuthenticator(@NonNull VaultAwsIam awsIam, @NonNull String mountPath) {
+        this.awsIam = awsIam;
+        this.mountPath = mountPath;
+    }
+
+    public void authenticate(@NonNull Vault vault, @NonNull VaultConfig config) throws VaultException, VaultPluginException {
+        if (isTokenTTLExpired()) {
+            // authenticate
+            currentAuthToken = AwsHelper.getToken(vault.auth(), null, awsIam.getRole(), awsIam.getServerId(), mountPath);
+            config.token(currentAuthToken).build();
+            LOGGER.log(Level.FINE, "Login to Vault using AWS IAM successful");
+            getTTLExpiryOfCurrentToken(vault);
+        } else {
+            // make sure current auth token is set in config
+            config.token(currentAuthToken).build();
+        }
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        return super.equals(o);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(awsIam);
+    }
+}