[RFC-0010] Add multi-tenant workload identity support for AWS Bucket

cappyzawa · cappyzawa · commit f30c0761f7c4 · 2025-08-13T23:42:11.000+09:00
Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/api/v1/bucket_types.go b/api/v1/bucket_types.go
@@ -33,7 +33,8 @@ const (
 	// BucketProviderGeneric for any S3 API compatible storage Bucket.
 	BucketProviderGeneric string = "generic"
 	// BucketProviderAmazon for an AWS S3 object storage Bucket.
-	// Provides support for retrieving credentials from the AWS EC2 service.
+	// Provides support for retrieving credentials from the AWS EC2 service
+	// and workload identity authentication.
 	BucketProviderAmazon string = "aws"
 	// BucketProviderGoogle for a Google Cloud Storage Bucket.
 	// Provides support for authentication using a workload identity.
@@ -51,7 +52,7 @@ const (
 // +kubebuilder:validation:XValidation:rule="self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap'", message="'ldap' is the only supported STS provider for the 'generic' Bucket provider"
 // +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef)", message="spec.sts.secretRef is not required for the 'aws' STS provider"
 // +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef)", message="spec.sts.certSecretRef is not required for the 'aws' STS provider"
-// +kubebuilder:validation:XValidation:rule="self.provider == 'gcp' || !has(self.serviceAccountName)", message="ServiceAccountName is only supported for the 'gcp' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="self.provider == 'gcp' || self.provider == 'aws' || !has(self.serviceAccountName)", message="ServiceAccountName is only supported for the 'gcp' and 'aws' Bucket providers"
 // +kubebuilder:validation:XValidation:rule="!has(self.secretRef) || !has(self.serviceAccountName)", message="cannot set both .spec.secretRef and .spec.serviceAccountName"
 type BucketSpec struct {
 	// Provider of the object storage bucket.
@@ -96,7 +97,8 @@ type BucketSpec struct {
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
 	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
-	// the bucket. For more information about workload identity:
+	// the bucket. This field is only supported for the 'gcp' and 'aws' providers.
+	// For more information about workload identity:
 	// https://fluxcd.io/flux/components/source/buckets/#workload-identity
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml b/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml
@@ -145,7 +145,8 @@ spec:
               serviceAccountName:
                 description: |-
                   ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
-                  the bucket. For more information about workload identity:
+                  the bucket. This field is only supported for the 'gcp' and 'aws' providers.
+                  For more information about workload identity:
                   https://fluxcd.io/flux/components/source/buckets/#workload-identity
                 type: string
               sts:
@@ -238,8 +239,9 @@ spec:
               rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.secretRef)'
             - message: spec.sts.certSecretRef is not required for the 'aws' STS provider
               rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.certSecretRef)'
-            - message: ServiceAccountName is only supported for the 'gcp' Bucket provider
-              rule: self.provider == 'gcp' || !has(self.serviceAccountName)
+            - message: ServiceAccountName is only supported for the 'gcp' and 'aws'
+                Bucket providers
+              rule: self.provider == 'gcp' || self.provider == 'aws' || !has(self.serviceAccountName)
             - message: cannot set both .spec.secretRef and .spec.serviceAccountName
               rule: '!has(self.secretRef) || !has(self.serviceAccountName)'
           status:
diff --git a/docs/api/v1/source.md b/docs/api/v1/source.md
@@ -190,7 +190,8 @@ string
 <td>
 <em>(Optional)</em>
 <p>ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
-the bucket. For more information about workload identity:
+the bucket. This field is only supported for the &lsquo;gcp&rsquo; and &lsquo;aws&rsquo; providers.
+For more information about workload identity:
 <a href="https://fluxcd.io/flux/components/source/buckets/#workload-identity">https://fluxcd.io/flux/components/source/buckets/#workload-identity</a></p>
 </td>
 </tr>
@@ -1646,7 +1647,8 @@ string
 <td>
 <em>(Optional)</em>
 <p>ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
-the bucket. For more information about workload identity:
+the bucket. This field is only supported for the &lsquo;gcp&rsquo; and &lsquo;aws&rsquo; providers.
+For more information about workload identity:
 <a href="https://fluxcd.io/flux/components/source/buckets/#workload-identity">https://fluxcd.io/flux/components/source/buckets/#workload-identity</a></p>
 </td>
 </tr>
diff --git a/internal/bucket/minio/minio.go b/internal/bucket/minio/minio.go
@@ -30,6 +30,9 @@ import (
 	"github.com/minio/minio-go/v7/pkg/s3utils"
 	corev1 "k8s.io/api/core/v1"
 
+	"github.com/fluxcd/pkg/auth"
+	awsauth "github.com/fluxcd/pkg/auth/aws"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 
@@ -46,6 +49,7 @@ type options struct {
 	tlsConfig    *tls.Config
 	stsTLSConfig *tls.Config
 	proxyURL     *url.URL
+	authOpts     []auth.Option
 }
 
 // Option is a function that configures the Minio client.
@@ -86,8 +90,15 @@ func WithSTSTLSConfig(tlsConfig *tls.Config) Option {
 	}
 }
 
+// WithAuth sets the auth options for workload identity authentication.
+func WithAuth(authOpts ...auth.Option) Option {
+	return func(o *options) {
+		o.authOpts = authOpts
+	}
+}
+
 // NewClient creates a new Minio storage client.
-func NewClient(bucket *sourcev1.Bucket, opts ...Option) (*MinioClient, error) {
+func NewClient(ctx context.Context, bucket *sourcev1.Bucket, opts ...Option) (*MinioClient, error) {
 	var o options
 	for _, opt := range opts {
 		opt(&o)
@@ -105,7 +116,11 @@ func NewClient(bucket *sourcev1.Bucket, opts ...Option) (*MinioClient, error) {
 	case o.secret != nil:
 		minioOpts.Creds = newCredsFromSecret(o.secret)
 	case bucketProvider == sourcev1.BucketProviderAmazon:
-		minioOpts.Creds = newAWSCreds(bucket, o.proxyURL)
+		creds, err := newAWSCreds(ctx, o.authOpts)
+		if err != nil {
+			return nil, err
+		}
+		minioOpts.Creds = creds
 	case bucketProvider == sourcev1.BucketProviderGeneric:
 		minioOpts.Creds = newGenericCreds(bucket, &o)
 	}
@@ -159,23 +174,42 @@ func newCredsFromSecret(secret *corev1.Secret) *credentials.Credentials {
 }
 
 // newAWSCreds creates a new Minio credentials object for `aws` bucket provider.
-func newAWSCreds(bucket *sourcev1.Bucket, proxyURL *url.URL) *credentials.Credentials {
-	stsEndpoint := ""
-	if sts := bucket.Spec.STS; sts != nil {
-		stsEndpoint = sts.Endpoint
-	}
-
-	creds := credentials.NewIAM(stsEndpoint)
-	if proxyURL != nil {
-		transport := http.DefaultTransport.(*http.Transport).Clone()
-		transport.Proxy = http.ProxyURL(proxyURL)
-		client := &http.Client{Transport: transport}
-		creds = credentials.New(&credentials.IAM{
-			Client:   client,
-			Endpoint: stsEndpoint,
-		})
+//
+// This function is only called when Secret authentication is not available.
+//
+// Authentication flow:
+// 1. Try Workload Identity authentication first
+//   - Object-Level: When ServiceAccount is specified (fails with error if unsuccessful)
+//   - Controller-Level: When no ServiceAccount specified (fallback to IAM if fails)
+//
+// 2. IAM Fallback: Only for Controller-Level failures
+//   - Uses MinIO's credentials.NewIAM("") for EC2 instance profiles,
+//     environment variables, or other AWS credential chain methods
+func newAWSCreds(ctx context.Context, authOpts []auth.Option) (*credentials.Credentials, error) {
+	// Check if this is Object-Level (ServiceAccount specified) or Controller-Level
+	var opts auth.Options
+	opts.Apply(authOpts...)
+	isObjectLevel := opts.ServiceAccount != nil
+
+	// Try Workload Identity authentication
+	awsCredsProvider := awsauth.NewCredentialsProvider(ctx, authOpts...)
+
+	awsCreds, err := awsCredsProvider.Retrieve(ctx)
+	if err != nil {
+		// Object-Level: Don't fallback, fail with wrapped error
+		if isObjectLevel {
+			return nil, fmt.Errorf("object-level workload identity authentication failed: %w", err)
+		}
+		// Controller-Level: Fallback to traditional IAM authentication
+		return credentials.NewIAM(""), nil
 	}
-	return creds
+
+	// Use retrieved Workload Identity credentials
+	return credentials.NewStaticV4(
+		awsCreds.AccessKeyID,
+		awsCreds.SecretAccessKey,
+		awsCreds.SessionToken,
+	), nil
 }
 
 // newGenericCreds creates a new Minio credentials object for the `generic` bucket provider.
diff --git a/internal/bucket/minio/minio_test.go b/internal/bucket/minio/minio_test.go
diff --git a/internal/controller/bucket_controller.go b/internal/controller/bucket_controller.go
