Merge pull request #3973 from c445/roehrijn/aws-profiles

feat(aws): use AWS profiles using .credentials file

docs/tutorials/aws.md

@@ -1,6 +1,6 @@
 # Setting up ExternalDNS for Services on AWS
 
-This tutorial describes how to setup ExternalDNS for usage within a Kubernetes cluster on AWS. Make sure to use **>=0.11.0** version of ExternalDNS for this tutorial
+This tutorial describes how to setup ExternalDNS for usage within a Kubernetes cluster on AWS. Make sure to use **>=0.15.0** version of ExternalDNS for this tutorial
 
 ## IAM Policy
 
@@ -232,6 +232,14 @@ kubectl create secret generic external-dns \
 
 Follow the steps under [Deploy ExternalDNS](#deploy-externaldns) using either RBAC or non-RBAC.  Make sure to uncomment the section that mounts volumes, so that the credentials can be mounted.
 
+> [!TIP]
+> By default ExternalDNS takes the profile named `default` from the credentials file. If you want to use a different 
+> profile, you can set the environment variable `EXTERNAL_DNS_AWS_PROFILE` to the desired profile name or use the 
+> `--aws-profile` command line argument. It is even possible to use more than one profile at ones, separated by space in
+> the environment variable `EXTERNAL_DNS_AWS_PROFILE` or by using `--aws-profile` multiple times. In this case 
+> ExternalDNS looks for the hosted zones in all profiles and keeps maintaining a mapping table between zone and profile 
+> in order to be able to modify the zones in the correct profile.
+
 ### IAM Roles for Service Accounts
 
 [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) ([IAM roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)) allows cluster operators to map AWS IAM Roles to Kubernetes Service Accounts.  This essentially allows only ExternalDNS pods to access Route53 without exposing any static credentials.

main.go

@@ -26,7 +26,6 @@ import (
 	"time"
 
 	awsSDK "github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/dynamodb"
 	"github.com/aws/aws-sdk-go/service/route53"
 	sd "github.com/aws/aws-sdk-go/service/servicediscovery"
@@ -194,20 +193,6 @@ func main() {
 	zoneTypeFilter := provider.NewZoneTypeFilter(cfg.AWSZoneType)
 	zoneTagFilter := provider.NewZoneTagFilter(cfg.AWSZoneTagFilter)
 
-	var awsSession *session.Session
-	if cfg.Provider == "aws" || cfg.Provider == "aws-sd" || cfg.Registry == "dynamodb" {
-		awsSession, err = aws.NewSession(
-			aws.AWSSessionConfig{
-				AssumeRole:           cfg.AWSAssumeRole,
-				AssumeRoleExternalID: cfg.AWSAssumeRoleExternalID,
-				APIRetries:           cfg.AWSAPIRetries,
-			},
-		)
-		if err != nil {
-			log.Fatal(err)
-		}
-	}
-
 	var p provider.Provider
 	switch cfg.Provider {
 	case "akamai":
@@ -226,6 +211,12 @@ func main() {
 	case "alibabacloud":
 		p, err = alibabacloud.NewAlibabaCloudProvider(cfg.AlibabaCloudConfigFile, domainFilter, zoneIDFilter, cfg.AlibabaCloudZoneType, cfg.DryRun)
 	case "aws":
+		sessions := aws.CreateSessions(cfg)
+		clients := make(map[string]aws.Route53API, len(sessions))
+		for profile, session := range sessions {
+			clients[profile] = route53.New(session)
+		}
+
 		p, err = aws.NewAWSProvider(
 			aws.AWSConfig{
 				DomainFilter:          domainFilter,
@@ -242,15 +233,15 @@ func main() {
 				DryRun:                cfg.DryRun,
 				ZoneCacheDuration:     cfg.AWSZoneCacheDuration,
 			},
-			route53.New(awsSession),
+			clients,
 		)
 	case "aws-sd":
 		// Check that only compatible Registry is used with AWS-SD
 		if cfg.Registry != "noop" && cfg.Registry != "aws-sd" {
 			log.Infof("Registry \"%s\" cannot be used with AWS Cloud Map. Switching to \"aws-sd\".", cfg.Registry)
 			cfg.Registry = "aws-sd"
 		}
-		p, err = awssd.NewAWSSDProvider(domainFilter, cfg.AWSZoneType, cfg.DryRun, cfg.AWSSDServiceCleanup, cfg.TXTOwnerID, sd.New(awsSession))
+		p, err = awssd.NewAWSSDProvider(domainFilter, cfg.AWSZoneType, cfg.DryRun, cfg.AWSSDServiceCleanup, cfg.TXTOwnerID, sd.New(aws.CreateDefaultSession(cfg)))
 	case "azure-dns", "azure":
 		p, err = azure.NewAzureProvider(cfg.AzureConfigFile, domainFilter, zoneNameFilter, zoneIDFilter, cfg.AzureSubscriptionID, cfg.AzureResourceGroup, cfg.AzureUserAssignedIdentityClientID, cfg.AzureActiveDirectoryAuthorityHost, cfg.DryRun)
 	case "azure-private-dns":
@@ -417,7 +408,7 @@ func main() {
 		if cfg.AWSDynamoDBRegion != "" {
 			config = config.WithRegion(cfg.AWSDynamoDBRegion)
 		}
-		r, err = registry.NewDynamoDBRegistry(p, cfg.TXTOwnerID, dynamodb.New(awsSession, config), cfg.AWSDynamoDBTable, cfg.TXTPrefix, cfg.TXTSuffix, cfg.TXTWildcardReplacement, cfg.ManagedDNSRecordTypes, cfg.ExcludeDNSRecordTypes, []byte(cfg.TXTEncryptAESKey), cfg.TXTCacheInterval)
+		r, err = registry.NewDynamoDBRegistry(p, cfg.TXTOwnerID, dynamodb.New(aws.CreateDefaultSession(cfg), config), cfg.AWSDynamoDBTable, cfg.TXTPrefix, cfg.TXTSuffix, cfg.TXTWildcardReplacement, cfg.ManagedDNSRecordTypes, cfg.ExcludeDNSRecordTypes, []byte(cfg.TXTEncryptAESKey), cfg.TXTCacheInterval)
 	case "noop":
 		r, err = registry.NewNoopRegistry(p)
 	case "txt":

pkg/apis/externaldns/types.go

@@ -84,6 +84,7 @@ type Config struct {
 	AWSZoneType                        string
 	AWSZoneTagFilter                   []string
 	AWSAssumeRole                      string
+	AWSProfiles                        []string
 	AWSAssumeRoleExternalID            string
 	AWSBatchChangeSize                 int
 	AWSBatchChangeSizeBytes            int
@@ -468,6 +469,7 @@ func (cfg *Config) ParseFlags(args []string) error {
 	app.Flag("alibaba-cloud-zone-type", "When using the Alibaba Cloud provider, filter for zones of this type (optional, options: public, private)").Default(defaultConfig.AlibabaCloudZoneType).EnumVar(&cfg.AlibabaCloudZoneType, "", "public", "private")
 	app.Flag("aws-zone-type", "When using the AWS provider, filter for zones of this type (optional, options: public, private)").Default(defaultConfig.AWSZoneType).EnumVar(&cfg.AWSZoneType, "", "public", "private")
 	app.Flag("aws-zone-tags", "When using the AWS provider, filter for zones with these tags").Default("").StringsVar(&cfg.AWSZoneTagFilter)
+	app.Flag("aws-profile", "When using the AWS provider, name of the profile to use").Default("").StringsVar(&cfg.AWSProfiles)
 	app.Flag("aws-assume-role", "When using the AWS API, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123455567:role/external-dns` (optional)").Default(defaultConfig.AWSAssumeRole).StringVar(&cfg.AWSAssumeRole)
 	app.Flag("aws-assume-role-external-id", "When using the AWS API and assuming a role then specify this external ID` (optional)").Default(defaultConfig.AWSAssumeRoleExternalID).StringVar(&cfg.AWSAssumeRoleExternalID)
 	app.Flag("aws-batch-change-size", "When using the AWS provider, set the maximum number of changes that will be applied in each batch.").Default(strconv.Itoa(defaultConfig.AWSBatchChangeSize)).IntVar(&cfg.AWSBatchChangeSize)

pkg/apis/externaldns/types_test.go

@@ -65,6 +65,7 @@ var (
 		AWSEvaluateTargetHealth:     true,
 		AWSAPIRetries:               3,
 		AWSPreferCNAME:              false,
+		AWSProfiles:                 []string{""},
 		AWSZoneCacheDuration:        0 * time.Second,
 		AWSSDServiceCleanup:         false,
 		AWSDynamoDBTable:            "external-dns",
@@ -171,6 +172,7 @@ var (
 		AWSEvaluateTargetHealth:     false,
 		AWSAPIRetries:               13,
 		AWSPreferCNAME:              true,
+		AWSProfiles:                 []string{"profile1", "profile2"},
 		AWSZoneCacheDuration:        10 * time.Second,
 		AWSSDServiceCleanup:         true,
 		AWSDynamoDBTable:            "custom-table",
@@ -342,6 +344,8 @@ func TestParseFlags(t *testing.T) {
 				"--aws-batch-change-interval=2s",
 				"--aws-api-retries=13",
 				"--aws-prefer-cname",
+				"--aws-profile=profile1",
+				"--aws-profile=profile2",
 				"--aws-zones-cache-duration=10s",
 				"--aws-sd-service-cleanup",
 				"--no-aws-evaluate-target-health",
@@ -460,6 +464,7 @@ func TestParseFlags(t *testing.T) {
 				"EXTERNAL_DNS_AWS_EVALUATE_TARGET_HEALTH":      "0",
 				"EXTERNAL_DNS_AWS_API_RETRIES":                 "13",
 				"EXTERNAL_DNS_AWS_PREFER_CNAME":                "true",
+				"EXTERNAL_DNS_AWS_PROFILE":                     "profile1\nprofile2",
 				"EXTERNAL_DNS_AWS_ZONES_CACHE_DURATION":        "10s",
 				"EXTERNAL_DNS_AWS_SD_SERVICE_CLEANUP":          "true",
 				"EXTERNAL_DNS_DYNAMODB_TABLE":                  "custom-table",