Retrieve password of RDS Postgres DB through IAM from GKE

[nuskyazhar]

I am trying to connect a Spring Boot application running on GKE to a AWS RDS Postgres DB through IAM federation

Therefore, I am trying to create a custom HikariDataSource which overrides the getPassword method - so the application can use this password to connect to the DB.

I have retrieved the identity-token of for the GCP service account by impersonating it.

GoogleCredentials sourceCredentials = GoogleCredentials getApplicationDefault();
        ImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create(
                sourceCredentials,
                "application@project.iam.gserviceaccount.com",
                null,
                Collections.singletonList("https://www.googleapis.com/auth/cloud-platform"),
                3600
        );

        IdTokenCredentials tokenCredentials = IdTokenCredentials.newBuilder()
                .setIdTokenProvider(targetCredentials)
                .setTargetAudience("AWS account")
                .build();

        tokenCredentials.refresh();
        IdToken idToken = tokenCredentials.getIdToken();
        String idTokenTokenValue = idToken.getTokenValue();

With this idTokenTokenValue, I am trying to Assume a role in AWS - target is to exchange this token to a STS token and retrieve the password of the DB

String roleArn = "arn:aws:iam::X:role/Y";
        String roleSessionName = "rds-gcp-aws-federation";

        AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = AssumeRoleWithWebIdentityRequest.builder()
                .roleSessionName(roleSessionName + UUID.randomUUIDO)
                .roleArn(roleArn)
                .webIdentityToken(webIdentityToken) //webIdentityToken is taken from IdTokenCredentials of Google Cloud SDK by impersonating a service account
                .build();

        StsAssumeRoleWithWebIdentityCredentialsProvider stsProvider = StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
                .refreshRequest(assumeRoleWithWebIdentityRequest)
                .build();

        StsClient stsClient = StsClient.builder()
                .credentialsProvider(stsProvider)
                .region(Region.AP_SOUTHEAST_2)
                .endpointOverride(URI.create("https://sts.ap-southeast-2.amazonaws.com"))
                .build();

        AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = stsClient.assumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest);

        Credentials providedCredentials = assumeRoleWithWebIdentItyResponse.credentials();

        String awsAccessKey = providedCredentials.accessKeyId;
        String awsSecretAccessKey = providedCredentials.secretAccessKey;
        String awsSessionToken = providedCredentials.sessionToken;

        System.setProperty("aws.accessKeyId", awsAccesskey);
        System.setProperty("aws.secretKey", awsSecretAccessKey);
        System.setProperty("aws.sessionToken", awsSessionToken);

        RdsClient rdsClient = RdsClient.builder()
                .region(Region.AP_SOUTHEAST_2)
                .credentialsProvider(DefaultCredentialsProvider.create())
                .build();


        GenerateAuthenticationTokenRequest tokenRequest = GenerateAuthenticationTokenRequest.builder()
                .credentialsProvider(DefaultCredentialsProvider.create())
                .hostname(jdbcHost)
                .port(jdbcPort)
                .username(JdbcUsername)
                .build();

        RdsUtilities rdsUtilities = rdsClient.utilities();
        String token = rdsUtilities.generateAuthenticationToken(tokenRequest);

I am not able to build the StsAssumeRoleWithWebIdentityCredentialsProvider because it requires a StsClient

If I create the StsClient first, and try to provide it to the StsAssumeRoleWithWebIdentityCredentialsProvider, StsClient is trying to get credentials from the SystemPropertyCredentialsProvider which requires AWS_ACCESS_KEY_ID , AWS_SECRET_ACCESS_KEY.
I can obtain the AWS access key ID and secret access key only after assuming the role or calling resolveCredentials() on the StsAssumeRoleWithWebIdentityCredentialsProvider

Therefore, it seem to have a circular dependency between StsClient and StsAssumeRoleWithWebIdentityCredentialsProvider

Could someone please advice me how to resolve this?

Thanks

[jblang]

@nuskyazhar did you ever figure out how to do this? I am trying to do something similar.