Add AWS AssumeRole support to AWS KMS (#2379)

Author: rayokota

src/Confluent.SchemaRegistry.Encryption.Aws/AwsKmsDriver.cs

@@ -1,5 +1,7 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using Amazon.Runtime;
+using Amazon.Runtime.CredentialManagement;
 
 namespace Confluent.SchemaRegistry.Encryption.Aws
 {
@@ -13,20 +15,73 @@ public static void Register()
         public static readonly string Prefix = "aws-kms://";
         public static readonly string AccessKeyId = "access.key.id";
         public static readonly string SecretAccessKey = "secret.access.key";
-        
+        public static readonly string Profile = "profile";
+        public static readonly string RoleArn = "role.arn";
+        public static readonly string RoleSessionName = "role.session.name";
+        public static readonly string RoleExternalId = "role.external.id";
+
         public string GetKeyUrlPrefix()
         {
             return Prefix;
         }
 
         public IKmsClient NewKmsClient(IDictionary<string, string> config, string keyUrl)
         {
+            config.TryGetValue(RoleArn, out string roleArn);
+            if (roleArn == null)
+            {
+                roleArn = Environment.GetEnvironmentVariable("AWS_ROLE_ARN");
+            }
+            config.TryGetValue(RoleSessionName, out string roleSessionName);
+            if (roleSessionName == null)
+            {
+                roleSessionName = Environment.GetEnvironmentVariable("AWS_ROLE_SESSION_NAME");
+            }
+            config.TryGetValue(RoleExternalId, out string roleExternalId);
+            if (roleExternalId == null)
+            {
+                roleExternalId = Environment.GetEnvironmentVariable("AWS_ROLE_EXTERNAL_ID");
+            }
             AWSCredentials credentials = null;
             if (config.TryGetValue(AccessKeyId, out string accessKeyId) 
                 && config.TryGetValue(SecretAccessKey, out string secretAccessKey))
             {
                 credentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
             }
+            else if (config.TryGetValue(Profile, out string profile))
+            {
+                var credentialProfileStoreChain = new CredentialProfileStoreChain();
+                if (credentialProfileStoreChain.TryGetAWSCredentials(
+                        profile, out AWSCredentials creds))
+                    credentials = creds;
+            }
+            if (credentials == null)
+            {
+                credentials = FallbackCredentialsFactory.GetCredentials();
+            }
+            if (roleArn != null)
+            {
+                if (string.IsNullOrEmpty(roleExternalId))
+                {
+                    credentials = new AssumeRoleAWSCredentials(
+                        credentials,
+                        roleArn,
+                        roleSessionName ?? "confluent-encrypt");
+                }
+                else
+                {
+                    var options = new AssumeRoleAWSCredentialsOptions
+                    {
+                        ExternalId = roleExternalId
+                    };
+
+                    credentials = new AssumeRoleAWSCredentials(
+                        credentials,
+                        roleArn,
+                        roleSessionName ?? "confluent-encrypt",
+                        options);
+                }
+            }
             return new AwsKmsClient(keyUrl, credentials);
         }
     }

src/Confluent.SchemaRegistry.Encryption.Aws/Confluent.SchemaRegistry.Encryption.Aws.csproj

@@ -29,7 +29,8 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="AWSSDK.KeyManagementService" Version="3.7.302.19" />
+        <PackageReference Include="AWSSDK.KeyManagementService" Version="3.7.400.61" />
+        <PackageReference Include="AWSSDK.SecurityToken" Version="3.7.401.10" />
     </ItemGroup>
 
     <ItemGroup>