Possibility to define a role to be assumed for cross account secret access

[ricardojdsilva87]

Is your feature request related to a problem? Please describe.
Hello everyone,

I believe that this feature is not supported by the current plugin version, but it would help having for example a variable for the plugin configuration that can be defined with a IAM role to be assumed to be able to fetch secrets from a different account.

We already have the fetch of the secrets working cross account but that involves also creating a custom KMS key and modifying secrets policies, in the other hand if the plugin could assume a role in another account it would have direct access to the secrets on that account.

In our current configuration the Reposerver pod has configured an IRSA role. That IRSA role to access secrets on the same AWS account only needs to have attached a policy with the secretsmanager:GetSecretValue

To be able to fetch secrets from another accounts we need to follow these steps:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html

It involves:

• Creating a KMS key and allowing the current IRSA role to be able to Decrypt the KMS key
• Encrypt the secret that we want to access with that KMS key and allow the current IRSA to access it with a policy inside the secret
• Add on the IRSA role the Decrypt permission for the created KMS key

Even including a policy for assume role on the IRSA account that would assume a role with secretsmanager:GetSecretValue permissions on the destination account it does not work alone, checking the access on the IRSA, the AWS Security Token Service is never accessed that means that no role tried to be assumed.

We have another service configured using IRSA and inside the code we specifically assume the destination role and this way the secrets can be fully read, encrypted with the default aws KMS key by just using the full arn of the secret.

My suggestion would be configuring this using a environment variable on the backend setup, such as AWS_ASSUME_ROLE
Inside the plugin code if this variable is present an aws sts assume-role would be made and this way access provided assuming that all the needed IAM policies and roles are already created on both accounts:

• Policy attached to the IRSA that allows to assume the role in the destination account
• Role in the destination account that allow the role in the source account to assume
• Policy in the destination account with secretsmanager:GetSecretValue attached to the role

EDIT

In these lines we can see the available authentication methods:
https://github.com/argoproj-labs/argocd-vault-plugin/blob/main/pkg/config/config_test.go#L116-L132

Thank you