Goals

Expand the scope of work done by @amador in LOG-7505 to allow the assumeRole option for both types of cloudwatch authentication.

Non-Goals

This is not a complete refactor of aws auth

Motivation

Original effort restricted the cross-account forwarding to the `type: iamRole` of cloudwatch authentication.   Further efforts revealed the logic works the same for `type: awsAccessKey`.   This will ensure we continue to share common methods for cloudwatch auth going forward, and prepares the module for pending s3 integration (will use the same auth package).

Alternatives

Release as is with limited functionality

Acceptance Criteria

• Can assumeRole and forward to cross-account role with auth type: iamRole (OIDC auth with an sts-enabled cluster)
• externalID field can be used with iamRole auth
• Can assumeRole and forward to cross-account role or user, using long-lived credentials of type: awsAccessKey for initial auth (non-sts cluster)
• externalID field can be used with awsAccessKey auth
• New assumeRole field is validated for valid arn in the secret (both role or user)
• Error exists in collector log if role/user permissions are not valid
• Documentation includes both types and how to configure policies

Risk and Assumptions

Risk is additional testing and QE of this feature will expand, however the assumption is that with common methods, this can be reasonably testing without requiring an STS cluster.

Documentation Considerations

Initial doc created by Amador can be enhanced to include the expanded scope.    We will want to discuss this with the docs team to decide on official entry for docs.

Additional Notes