Migrate AWS OpenSearch requests signing credential generation to AWS SDK V2

[gabrielcorado]

Related to #14142

This PR updates the AWS signing service to accept using the AWS config provider (which uses AWS SDK V2). OpenSearch uses the service to sign the requests.

Note that the signer part still uses the SDK V1 signer (with the NewSignerV2 helper function). So, no changes are required to the signing logic for now. This will be updated in future PRs.

[GavinFrazar]

Nice! I like how this makes it easy to migrate each dependent service in small PRs

[GavinFrazar]

I took another look at this and it won't match prior behavior because the engine will not assume the role from the db AWS metadata to chain the roles together.

We can fix that by adding e.sessionCtx.Database.GetAWS().AssumeRoleARN to the SigningCtx and passing it when we call SignRequest.

Alternatively, we could add it to the SigningServiceConfig, e.g

func (s *SigningService) newSigner(ctx context.Context, signCtx *SigningCtx) (*v4.Signer, error) {
	if s.AWSConfigProvider != nil {
		awsCfg, err := s.AWSConfigProvider.GetConfig(ctx, signCtx.SigningRegion,
			awsconfig.WithAssumeRole(s.AWSRoleArn, s.AWSExternalID),
			awsconfig.WithAssumeRole(signCtx.AWSRoleArn, signCtx.AWSExternalID),

[gabrielcorado]

Thanks for pointing it out. I've updated the SigningCtx to accept a base role.

Also, @smallinsky, if you can take a look at this, thanks!

[smallinsky]

LGTM if tested

[greedy52]

		awsCfg, err := s.AWSConfigProvider.GetConfig(ctx, signCtx.SigningRegion,
			awsconfig.WithAssumeRole(signCtx.BaseAWSRoleARN, signCtx.AWSExternalID),
			awsconfig.WithAssumeRole(signCtx.AWSRoleArn, signCtx.AWSExternalID),
			awsconfig.WithCredentialsMaybeIntegration(signCtx.Integration),

Does that mean the existing code uses external ID twice for opensearch when chained? That would be a bug if we want to keep the logic consistent with other database types. Though I agree we should keep it backwards compatible for now. The problem is this logic in SignerService would need a variant if used for other database types.

At this point, i would rather make the GetConfig call outside signing service to avoid passing in so many things to the signing ctx and to keep SigningService single purpose.

[GavinFrazar]

Does that mean the existing code uses external ID twice for opensearch when chained

Yes. It should have been chained like this:

teleport/lib/srv/db/dynamodb/engine.go

Lines 233 to 236 in c6b09ce

	if meta.AssumeRoleARN == "" {
	signingCtx.AWSExternalID = meta.ExternalID
	}
	signedReq, err := signer.SignRequest(e.Context, outReq, signingCtx)

At this point, i would rather make the GetConfig call outside signing service to avoid passing in so many things to the signing ctx and to keep SigningService single purpose.

I agree that we should reduce the scope of signing service responsibilities.
I think if we take this suggestion then we can just do it for v2 sdk credentials for now and keep the prior behavior where signing service makes STS assume role call based on the signing ctx role arn for sdk v1.

[gabrielcorado]

@GavinFrazar @greedy52 I've kept this change as simple as possible by adding another parameter to the SigingCtx and having the caller decide how to specify the external IDs.

This isn't ideal, but since the signing service will be reworked during the SDK V2 migration, any improvements on the API definition should come from there because we'll know precisely the requirements for V2. We'll also consider the app access usage.