Dockerfile

-Original file line number
+Diff line change
@@ -0,0 +1,5 @@
+    FROM gcr.io/distroless/static-debian12:nonroot
+    COPY baton-aws /baton-aws
+    ENTRYPOINT ["/baton-aws"]

pkg/config/config.go

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -115,13 +115,18 @@ func ValidateExternalId(input string) error {
  
    // validateConfig is run after the configuration is loaded, and should return an error if it isn't valid.

    func ValidateConfig(ctx context.Context, awsc *Aws) error {

    	if awsc.GetBool(UseAssumeField.FieldName) {

    		err := ValidateExternalId(awsc.GetString(ExternalIdField.FieldName))

    		err := connector.IsValidRoleARN(awsc.GetString(RoleArnField.FieldName))

    		if err != nil {

    			return err

    		}

    		err = connector.IsValidRoleARN(awsc.GetString(RoleArnField.FieldName))

    		if err != nil {

    			return err

    		// Only validate external-id for two-hop mode (when global-role-arn is set)

    		// Single-hop mode (IRSA → target role) doesn't require external-id

    		globalRoleArn := awsc.GetString(GlobalRoleArnField.FieldName)

    		if globalRoleArn != "" {

    			err = ValidateExternalId(awsc.GetString(ExternalIdField.FieldName))

    			if err != nil {

    				return err

    			}

    		}

    	}

    	return nil

    @@ -153,7 +158,6 @@ var Config = field.NewConfiguration(
  
    				UseAssumeField,

    			},

    			[]field.SchemaField{

    				ExternalIdField,

    				RoleArnField,

    			},

    		)),

pkg/connector/connector.go

-Original file line number
+Diff line change
@@ Expand Up @@
     				return o.baseConfig, nil
     			}
     			l := ctxzap.Extract(ctx)
-    			// ok, if we are an instance, we do the assumeRole twice, first time from our Instance role, INTO the binding account
+    			// Single-hop mode: when globalRoleARN is empty, assume directly into roleARN
+    			// This supports self-hosted deployments (e.g., EKS with IRSA) that don't need
+    			// an intermediate binding account.
+    			if o.globalRoleARN == "" && o.roleARN != "" {
+    				l.Debug("aws-connector: using single-hop assume role mode",
+    					zap.String("role_arn", o.roleARN),
+    				)
+    				stsSvc := sts.NewFromConfig(o.baseConfig)
+    				callingCreds := awsSdk.NewCredentialsCache(stscreds.NewAssumeRoleProvider(stsSvc, o.roleARN, func(aro *stscreds.AssumeRoleOptions) {
+    					if o.externalID != "" {
+    						aro.ExternalID = awsSdk.String(o.externalID)
+    					}
+    				}))
+    				_, err := callingCreds.Retrieve(ctx)
+    				if err != nil {
+    					return awsSdk.Config{}, fmt.Errorf("aws-connector: failed to assume role into '%s': %w", o.roleARN, err)
+    				}
+    				return awsSdk.Config{
+    					HTTPClient:   o.baseClient,
+    					Region:       region,
+    					DefaultsMode: awsSdk.DefaultsModeInRegion,
+    					Credentials:  callingCreds,
+    				}, nil
+    			}
+    			// Two-hop mode: if we are an instance, we do the assumeRole twice, first time from our Instance role, INTO the binding account
     			// and from there, into the customer account.
     			stsSvc := sts.NewFromConfig(o.baseConfig)
     			bindingCreds := awsSdk.NewCredentialsCache(stscreds.NewAssumeRoleProvider(stsSvc, o.globalRoleARN, func(aro *stscreds.AssumeRoleOptions) {
@@ Expand Down @@

[CXP-35] feat: add single-hop assume role for self-hosted deployments #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

johnallers merged 2 commits into ConductorOne:main from abebars:feat/single-hop-assume-role

Jan 30, 2026

-Original file line number
+Diff line change
@@ -0,0 +1,5 @@
+    FROM gcr.io/distroless/static-debian12:nonroot
+    COPY baton-aws /baton-aws
+    ENTRYPOINT ["/baton-aws"]

-Original file line number
+Diff line change
@@ Expand Up @@
     				return o.baseConfig, nil
     			}
     			l := ctxzap.Extract(ctx)
-    			// ok, if we are an instance, we do the assumeRole twice, first time from our Instance role, INTO the binding account
+    			// Single-hop mode: when globalRoleARN is empty, assume directly into roleARN
+    			// This supports self-hosted deployments (e.g., EKS with IRSA) that don't need
+    			// an intermediate binding account.
+    			if o.globalRoleARN == "" && o.roleARN != "" {
+    				l.Debug("aws-connector: using single-hop assume role mode",
+    					zap.String("role_arn", o.roleARN),
+    				)
+    				stsSvc := sts.NewFromConfig(o.baseConfig)
+    				callingCreds := awsSdk.NewCredentialsCache(stscreds.NewAssumeRoleProvider(stsSvc, o.roleARN, func(aro *stscreds.AssumeRoleOptions) {
+    					if o.externalID != "" {
+    						aro.ExternalID = awsSdk.String(o.externalID)
+    					}
+    				}))
+    				_, err := callingCreds.Retrieve(ctx)
+    				if err != nil {
+    					return awsSdk.Config{}, fmt.Errorf("aws-connector: failed to assume role into '%s': %w", o.roleARN, err)
+    				}
+    				return awsSdk.Config{
+    					HTTPClient:   o.baseClient,
+    					Region:       region,
+    					DefaultsMode: awsSdk.DefaultsModeInRegion,
+    					Credentials:  callingCreds,
+    				}, nil
+    			}
+    			// Two-hop mode: if we are an instance, we do the assumeRole twice, first time from our Instance role, INTO the binding account
     			// and from there, into the customer account.
     			stsSvc := sts.NewFromConfig(o.baseConfig)
     			bindingCreds := awsSdk.NewCredentialsCache(stscreds.NewAssumeRoleProvider(stsSvc, o.globalRoleARN, func(aro *stscreds.AssumeRoleOptions) {
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CXP-35] feat: add single-hop assume role for self-hosted deployments #99

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!