Add IAM Auth Method

[pglass]

This adds an IAM auth method to Consul to support logging in with AWS IAM identities.

Overview

This PR uses a similar approach as the Vault IAM auth method. Vault's login token format is used here, but with a unique change to avoid the need for config the auth method with AWS credentials.

The "bearer token" contains one or two signed AWS API requests, which are JSON encoded.

1. A client-signed sts:GetCallerIdentity request (same as Vault).
   • This is generated by consul login -aws-auto-bearer-token ....
   • The auth method must be configured with EnableIAMEntityDetails=false
2. A client-signed sts:GetCallerIdentity request, with a signed iam:GetRole or iam:GetUser request embedded in headers (unique to Consul).
   • This is generated by consul login -aws-auto-bearer-token -aws-include-entity ...
   • The auth method must be configured with EnableIAMEntityDetails=true

Because the requests are signed with the client credentials, the IAM auth method does not need to be configured with its own AWS credentials.

Code

• command/login/* - updates consul login with additional flags to support logging into the AWS auth method
  • This calls GenerateLoginData() in the internal iamauth package to do the work of generating the bearer token
  • Then, the existing logic is used to login with the bearer token
• agent/consul/authmethod/awsauth/* - implements the auth method
  • This implements the existing authmethod.Validator interface
  • This calls ValidateLogin() in the internal iamauth package to do the work of validating the identity of a client attempting to login
• internal/iamauth/* - an internal package which implements the core logic. This is a mix of new code and code borrowed/modified from the Vault IAM auth method
  • Authenticator.ValidateLogin() validates a client's identity to determine if they are permitted to login
  • The BearerToken type parses the login token and does some validation of the token
  • The GenerateLoginData function is used to generate the login data that forms the bearer token, which involves formatting signed AWS API requests

Usage

Configuring the auth method (example):

consul acl auth-method create -type aws-iam \
  -name <name> \
  -config='{
    "BoundIAMPrincipalARNs": [],
    "EnableIAMEntityDetails": false,
    "IAMEntityTags": []
    "MaxRetries": -1,
    "IAMEndpoint": "",
    "STSEndpoint": "",
    "STSRegion": "",
    "ServerIDHeaderValue": "",
    "AllowedSTSHeaderValues": [],
}'

Login

consul login -type aws-iam -method <name> -aws-auto-bearer-token -token-sink-file token.txt

[rboyer]

Probably good to in the PR somewhere and likely also in a comment in one of the packages indicating which version/sha of various vault libraries the various AWS bits were lifted from. That way there's a paper trail to figure out which possible future patches on the vault side need to be re-replicated here.

[pglass]

Vault calls into a GenerateLoginData function, which I didn't end up re-using because (1) it doesn't support encoding the "get entity" request (GetRole or GetUser) in the login data, which is unique to the Consul implementation, and (2) there's a hardcoded vault server id header name, which is also why there are a bunch of header names passed into GenerateLoginData here, so that we're using X-Consul* header names.

[pglass]

This relies the AWS SDK's standard credential chain, whereas Vault credential discovery calls into GenerateCredentialChain, which does some custom things. I haven't deeply compared these. Probably, there's a good reason for what Vault does, and we should adopt their implementation, which I can do now or in a follow up.

[rboyer]

It might be worth figuring out what value GenerateCredentialChain is bringing and erring on the side of using it over not.

[pglass]

I've dug through the credential loading a good bit in the past couple days. I time boxed this, but there's nothing I've found that Vault supports in its custom credential chain that the SDK doesn't also support out of the box.

Users have also noticed differences between Vault's credential chain and the SDK, and Vault has generally moved toward matching the SDK behavior where possible (such as: hashicorp/vault#7738 and hashicorp/vault#13807).

So I think we should rely on the SDK's credential discovery in favor of being more standardized.

[pglass]

I referenced the corresponding Vault code, but this is simpler since it doesn't support the unique role/user id check.

Note: I kept the links to Vault code for comparison during this initial code review, but I'm planning on removing those from the source code. I'll add permalinks to the Vault source in the README for this internal module instead.

[pglass]

TODO: Figure out if the STSRegionalEndpoint config option takes care of this for us.

[rboyer]

Might want to carry more detail over from the vault equivalent field, or do so on the website pages describing this field: https://www.vaultproject.io/api-docs/auth/aws#iam_server_id_header_value

[pglass]

Yeah, I'll detail this in the docs on consul.io.

[pglass]

Created the following couple of issues to follow up on before 1.12 GA:

• IAM Auth Method: Remove stsSigningResolver? #12661
• IAM Auth Method: Documentation #12662

[hc-github-team-consul-core]

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/619124.