feat(ecr): add STS AssumeRole for cross-account ECR access

Added AssumeRoleArn field across all services that interact with ECR:

common-lib:
- helmLib/registry: Configuration bean + extractCredentialsForRegistry
- utils/bean: DockerAuthConfig.AssumeRoleArnEcr
- utils/dockerOperations: LoadEcrCredentials with AssumeRole

kubelink:
- gRPC proto: AssumeRoleArn field (tag 15) on RegistryCredential
- adapter: pass AssumeRoleArn to registry Configuration

ci-runner:
- DockerCredentials struct + DockerLogin: STS AssumeRole before ECR auth
- CommonWorkflowRequest: AssumeRoleArn field
- GetDockerAuthConfigForPrivateRegistries: pass ARN
- Added log lines for cross-account login confirmation

image-scanner:
- DockerArtifactStore model: AssumeRoleArn field
- RoundTripperService: STS AssumeRole in GetAuthenticatorByDockerRegistryId

Author: abhibhaw

ci-runner/helper/DockerHelper.go

@@ -28,6 +28,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/caarlos0/env"
 	cicxt "github.com/devtron-labs/ci-runner/executor/context"
 	bean2 "github.com/devtron-labs/ci-runner/helper/bean"
@@ -210,7 +211,7 @@ const CacheModeMax = "max"
 const CacheModeMin = "min"
 
 type DockerCredentials struct {
-	DockerUsername, DockerPassword, AwsRegion, AccessKey, SecretKey, DockerRegistryURL, DockerRegistryType, CredentialsType string
+	DockerUsername, DockerPassword, AwsRegion, AccessKey, SecretKey, AssumeRoleArn, DockerRegistryURL, DockerRegistryType, CredentialsType string
 }
 
 type EnvironmentVariables struct {
@@ -257,6 +258,34 @@ func (impl *DockerHelperImpl) DockerLogin(ciContext cicxt.CiContext, dockerCrede
 				log.Println(err)
 				return err
 			}
+
+			// If an assume role ARN is provided, use STS to assume the cross-account role
+			if len(dockerCredentials.AssumeRoleArn) > 0 {
+				stsClient := sts.New(sess)
+				assumeOutput, err := stsClient.AssumeRole(&sts.AssumeRoleInput{
+					RoleArn:         aws.String(dockerCredentials.AssumeRoleArn),
+					RoleSessionName: aws.String("devtron-ecr-cross-account"),
+				})
+				if err != nil {
+					log.Printf("error in assuming role %s: %v", dockerCredentials.AssumeRoleArn, err)
+					return err
+				}
+				assumedCreds := credentials.NewStaticCredentials(
+					*assumeOutput.Credentials.AccessKeyId,
+					*assumeOutput.Credentials.SecretAccessKey,
+					*assumeOutput.Credentials.SessionToken,
+				)
+				sess, err = session.NewSession(&aws.Config{
+					Region:      &dockerCredentials.AwsRegion,
+					Credentials: assumedCreds,
+				})
+				if err != nil {
+					log.Println(err)
+					return err
+				}
+				log.Printf("STS AssumeRole successful for cross-account ECR access, roleArn: %s", dockerCredentials.AssumeRoleArn)
+			}
+
 			svc := ecr.New(sess)
 			input := &ecr.GetAuthorizationTokenInput{}
 			authData, err := svc.GetAuthorizationToken(input)
@@ -293,7 +322,11 @@ func (impl *DockerHelperImpl) DockerLogin(ciContext cicxt.CiContext, dockerCrede
 			log.Println(err)
 			return err
 		}
-		log.Println("Docker login successful with username ", username, " on docker registry URL ", dockerCredentials.DockerRegistryURL)
+		if len(dockerCredentials.AssumeRoleArn) > 0 {
+			log.Printf("Docker login successful (cross-account via AssumeRole %s) with username %s on registry %s", dockerCredentials.AssumeRoleArn, username, dockerCredentials.DockerRegistryURL)
+		} else {
+			log.Println("Docker login successful with username ", username, " on docker registry URL ", dockerCredentials.DockerRegistryURL)
+		}
 		return nil
 	}
 
@@ -1428,6 +1461,7 @@ func (impl *DockerHelperImpl) GetDockerAuthConfigForPrivateRegistries(workflowRe
 				AccessKeyEcr:       workflowRequest.AccessKey,
 				SecretAccessKeyEcr: workflowRequest.SecretKey,
 				EcrRegion:          workflowRequest.AwsRegion,
+				AssumeRoleArnEcr:   workflowRequest.AssumeRoleArn,
 				IsRegistryPrivate:  true,
 			}
 		}

ci-runner/helper/EventHelper.go

@@ -114,6 +114,7 @@ type CommonWorkflowRequest struct {
 	AwsRegion                      string                           `json:"awsRegion"`
 	AccessKey                      string                           `json:"accessKey"`
 	SecretKey                      string                           `json:"secretKey"`
+	AssumeRoleArn                  string                           `json:"assumeRoleArn"`
 	CiCacheLocation                string                           `json:"ciCacheLocation"`
 	CiCacheRegion                  string                           `json:"ciCacheRegion"`
 	CiCacheFileName                string                           `json:"ciCacheFileName"`

common-lib/helmLib/registry/bean.go

@@ -14,6 +14,7 @@ type Configuration struct {
 	AwsAccessKey              string
 	AwsSecretKey              string
 	AwsRegion                 string
+	AssumeRoleArn             string
 	RegistryConnectionType    string //secure, insecure, secure-with-cert
 	RegistryCertificateString string
 	RegistryCAFilePath        string

common-lib/helmLib/registry/common.go

@@ -9,6 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/aws/aws-sdk-go/service/sts"
 	http2 "github.com/devtron-labs/common-lib/utils/http"
 	"helm.sh/helm/v3/pkg/registry"
 	"log"
@@ -117,6 +118,33 @@ func extractCredentialsForRegistry(config *Configuration) (string, string, error
 			log.Printf("error in creating AWS client %w ", err)
 			return "", "", err
 		}
+
+		// If an assume role ARN is provided, use STS to assume the cross-account role
+		if len(config.AssumeRoleArn) > 0 {
+			stsClient := sts.New(sess)
+			assumeOutput, err := stsClient.AssumeRole(&sts.AssumeRoleInput{
+				RoleArn:         aws.String(config.AssumeRoleArn),
+				RoleSessionName: aws.String("devtron-ecr-cross-account"),
+			})
+			if err != nil {
+				log.Printf("error in assuming role %s: %v", config.AssumeRoleArn, err)
+				return "", "", fmt.Errorf("failed to assume role %s: %v", config.AssumeRoleArn, err)
+			}
+			assumedCreds := credentials.NewStaticCredentials(
+				*assumeOutput.Credentials.AccessKeyId,
+				*assumeOutput.Credentials.SecretAccessKey,
+				*assumeOutput.Credentials.SessionToken,
+			)
+			sess, err = session.NewSession(&aws.Config{
+				Region:      &config.AwsRegion,
+				Credentials: assumedCreds,
+			})
+			if err != nil {
+				log.Printf("error in creating AWS session with assumed role credentials: %v", err)
+				return "", "", err
+			}
+		}
+
 		svc := ecr.New(sess)
 		input := &ecr.GetAuthorizationTokenInput{}
 		authData, err := svc.GetAuthorizationToken(input)

common-lib/utils/bean/bean.go

@@ -39,6 +39,7 @@ type DockerAuthConfig struct {
 	AccessKeyEcr          string // used for pulling from private ecr registry
 	SecretAccessKeyEcr    string // used for pulling from private ecr registry
 	EcrRegion             string // used for pulling from private ecr registry
+	AssumeRoleArnEcr      string // used for cross-account ECR access via STS AssumeRole
 	CredentialFileJsonGcr string // used for pulling from private gcr registry
 	IsRegistryPrivate     bool
 }

common-lib/utils/dockerOperations/DockerUtils.go

@@ -8,6 +8,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/devtron-labs/common-lib/utils/bean"
 	"github.com/docker/docker/client"
 	"github.com/sirupsen/logrus"
@@ -30,13 +31,35 @@ func LoadGcrCredentials(credsJson string) (string, string, error) {
 
 }
 
-func LoadEcrCredentials(ecrRegion, accessKeyEcr, secretAccessKeyEcr string) (string, string, error) {
+func LoadEcrCredentials(ecrRegion, accessKeyEcr, secretAccessKeyEcr, assumeRoleArn string) (string, string, error) {
 	var username, password string
 	awsCfg := &aws.Config{
 		Region:      aws.String(ecrRegion),
 		Credentials: credentials.NewStaticCredentials(accessKeyEcr, secretAccessKeyEcr, ""),
 	}
 	sess := session.Must(session.NewSession(awsCfg))
+
+	// If an assume role ARN is provided, use STS to assume the cross-account role
+	if len(assumeRoleArn) > 0 {
+		stsClient := sts.New(sess)
+		assumeOutput, err := stsClient.AssumeRole(&sts.AssumeRoleInput{
+			RoleArn:         aws.String(assumeRoleArn),
+			RoleSessionName: aws.String("devtron-ecr-cross-account"),
+		})
+		if err != nil {
+			return "", "", fmt.Errorf("failed to assume role %s for ecr: %v", assumeRoleArn, err)
+		}
+		assumedCreds := credentials.NewStaticCredentials(
+			*assumeOutput.Credentials.AccessKeyId,
+			*assumeOutput.Credentials.SecretAccessKey,
+			*assumeOutput.Credentials.SessionToken,
+		)
+		sess = session.Must(session.NewSession(&aws.Config{
+			Region:      aws.String(ecrRegion),
+			Credentials: assumedCreds,
+		}))
+	}
+
 	svc := ecr.New(sess)
 	authData, err := svc.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{})
 	if err != nil {
@@ -59,7 +82,7 @@ func getEncodedRegistryAuthForPrivateRegistry(dockerAuth *bean.DockerAuthConfig)
 	switch dockerAuth.RegistryType {
 	case bean.RegistryTypeEcr:
 		// for ecr we get username and password via region, access and secret access tokens
-		ecrUsername, ecrPassword, err := LoadEcrCredentials(dockerAuth.EcrRegion, dockerAuth.AccessKeyEcr, dockerAuth.SecretAccessKeyEcr)
+		ecrUsername, ecrPassword, err := LoadEcrCredentials(dockerAuth.EcrRegion, dockerAuth.AccessKeyEcr, dockerAuth.SecretAccessKeyEcr, dockerAuth.AssumeRoleArnEcr)
 		if err != nil {
 			logrus.Error("error in getting ecr credentials", "err", err)
 			return "", err

image-scanner/pkg/roundTripper/RoundTripperService.go

@@ -23,6 +23,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/devtron-labs/common-lib/imageScan/bean"
 	"github.com/devtron-labs/common-lib/securestore"
 	"github.com/devtron-labs/image-scanner/pkg/security"
@@ -137,6 +138,32 @@ func (impl *RoundTripperServiceImpl) GetAuthenticatorByDockerRegistryId(dockerRe
 			return nil, nil, err
 		}
 
+		// If an assume role ARN is provided, use STS to assume the cross-account role
+		if len(dockerRegistry.AssumeRoleArn) > 0 {
+			stsClient := sts.New(sess)
+			assumeOutput, err := stsClient.AssumeRole(&sts.AssumeRoleInput{
+				RoleArn:         aws.String(dockerRegistry.AssumeRoleArn),
+				RoleSessionName: aws.String("devtron-ecr-cross-account"),
+			})
+			if err != nil {
+				impl.Logger.Errorw("error in assuming role for ECR", "assumeRoleArn", dockerRegistry.AssumeRoleArn, "err", err)
+				return nil, nil, err
+			}
+			assumedCreds := credentials.NewStaticCredentials(
+				*assumeOutput.Credentials.AccessKeyId,
+				*assumeOutput.Credentials.SecretAccessKey,
+				*assumeOutput.Credentials.SessionToken,
+			)
+			sess, err = session.NewSession(&aws.Config{
+				Region:      &dockerRegistry.AWSRegion,
+				Credentials: assumedCreds,
+			})
+			if err != nil {
+				impl.Logger.Errorw("error in creating AWS session with assumed role credentials", "err", err)
+				return nil, nil, err
+			}
+		}
+
 		// Create a ECR client with additional configuration
 		svc := ecr.New(sess, aws.NewConfig().WithRegion(dockerRegistry.AWSRegion))
 		token, err := svc.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{})

image-scanner/pkg/sql/repository/DockerArtifactStoreRepository.go

@@ -42,6 +42,7 @@ type DockerArtifactStore struct {
 	AWSAccessKeyId           string                      `sql:"aws_accesskey_id" json:"awsAccessKeyId,omitempty" `
 	AWSSecretAccessKey       securestore.EncryptedString `sql:"aws_secret_accesskey" json:"awsSecretAccessKey,omitempty"`
 	AWSRegion                string                      `sql:"aws_region" json:"awsRegion,omitempty"`
+	AssumeRoleArn            string                      `sql:"assume_role_arn" json:"assumeRoleArn,omitempty"`
 	Username                 string                      `sql:"username" json:"username,omitempty"`
 	Password                 securestore.EncryptedString `sql:"password" json:"password,omitempty"`
 	IsDefault                bool                        `sql:"is_default,notnull" json:"isDefault"`

kubelink/grpc/applist.pb.go

@@ -480,6 +480,7 @@ message RegistryCredential {
   string RegistryName = 12;
   string RegistryCertificate = 13;
   string CredentialsType = 14;
+  string AssumeRoleArn = 15;
 }
 
 enum RemoteConnectionMethod {