[LOG-7505] Add support for cross-account AssumeRole

api/observability/v1/output_types.go

@@ -431,6 +431,17 @@ type CloudwatchIAMRole struct {
 	// +kubebuilder:validation:Required
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Token"
 	Token BearerToken `json:"token"`
+
+	// AssumeRole specifies an IAM role to assume after the initial authentication. This enables
+	// cross-account log forwarding where the initial role or access keys associated with the collector
+	// service account is used to authenticate, and then this role is assumed in order to access
+	// CloudWatch in another account. This requires a trust relationship has been established between
+	// the roles and the assumed roles have been granted the necessary CloudWatch permissions.
+	//
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Cross-Account Assume Role"
+	AssumeRole *CloudwatchAssumeRole `json:"assumeRole,omitempty"`
 }
 
 type CloudwatchAWSAccessKey struct {
@@ -447,6 +458,22 @@ type CloudwatchAWSAccessKey struct {
 	KeySecret SecretReference `json:"keySecret"`
 }
 
+type CloudwatchAssumeRole struct {
+	// RoleARN points to the secret containing the ARN of the role to assume for cross-account access.
+	//
+	// +kubebuilder:validation:Required
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Assume Role ARN Secret"
+	RoleARN SecretReference `json:"roleARN"`
+
+	// ExternalID points to the secret containing the external ID required for assuming the role.
+	// This is an optional security measure used to ensure that only the intended entity can assume the role.
+	//
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="External ID Secret"
+	ExternalID *SecretReference `json:"externalID,omitempty"`
+}
+
 type ElasticsearchTuningSpec struct {
 	BaseOutputTuningSpec `json:",inline"`
 

config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml

@@ -1902,6 +1902,53 @@ spec:
                                 a web identity token
                               nullable: true
                               properties:
+                                assumeRole:
+                                  description: |-
+                                    AssumeRole specifies an additional IAM role to assume after the initial authentication.
+                                    This enables cross-account log forwarding where the initial role is used to authenticate,
+                                    and then this role is assumed to access CloudWatch in another account.
+                                  nullable: true
+                                  properties:
+                                    externalID:
+                                      description: |-
+                                        ExternalID points to the secret containing the external ID required for assuming the role.
+                                        This is an optional security measure used to ensure that only the intended entity can assume the role.
+                                      nullable: true
+                                      properties:
+                                        key:
+                                          description: Key contains the name of the
+                                            key inside the referenced Secret.
+                                          type: string
+                                        secretName:
+                                          description: SecretName contains the name
+                                            of the Secret containing the referenced
+                                            value.
+                                          type: string
+                                      required:
+                                      - key
+                                      - secretName
+                                      type: object
+                                    roleARN:
+                                      description: RoleARN points to the secret containing
+                                        the ARN of the role to assume for cross-account
+                                        access.
+                                      properties:
+                                        key:
+                                          description: Key contains the name of the
+                                            key inside the referenced Secret.
+                                          type: string
+                                        secretName:
+                                          description: SecretName contains the name
+                                            of the Secret containing the referenced
+                                            value.
+                                          type: string
+                                      required:
+                                      - key
+                                      - secretName
+                                      type: object
+                                  required:
+                                  - roleARN
+                                  type: object
                                 roleARN:
                                   description: |-
                                     RoleARN points to the secret containing the role ARN to be used for authentication.

config/manifests/bases/cluster-logging.clusterserviceversion.yaml

@@ -448,6 +448,43 @@ spec:
           a web identity token
         displayName: Amazon IAM Role
         path: outputs[0].cloudwatch.authentication.iamRole
+      - description: |-
+          AssumeRole specifies an additional IAM role to assume after the initial authentication.
+          This enables cross-account log forwarding where the initial role is used to authenticate,
+          and then this role is assumed to access CloudWatch in another account.
+        displayName: Cross-Account Assume Role
+        path: outputs[0].cloudwatch.authentication.iamRole.assumeRole
+      - description: |-
+          ExternalID points to the secret containing the external ID required for assuming the role.
+          This is an optional security measure used to ensure that only the intended entity can assume the role.
+        displayName: External ID Secret
+        path: outputs[0].cloudwatch.authentication.iamRole.assumeRole.externalID
+      - description: Key contains the name of the key inside the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].cloudwatch.authentication.iamRole.assumeRole.externalID.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: SecretName contains the name of the Secret containing the referenced
+          value.
+        displayName: Secret Name
+        path: outputs[0].cloudwatch.authentication.iamRole.assumeRole.externalID.secretName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: RoleARN points to the secret containing the ARN of the role to
+          assume for cross-account access.
+        displayName: Assume Role ARN Secret
+        path: outputs[0].cloudwatch.authentication.iamRole.assumeRole.roleARN
+      - description: Key contains the name of the key inside the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].cloudwatch.authentication.iamRole.assumeRole.roleARN.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: SecretName contains the name of the Secret containing the referenced
+          value.
+        displayName: Secret Name
+        path: outputs[0].cloudwatch.authentication.iamRole.assumeRole.roleARN.secretName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: |-
           RoleARN points to the secret containing the role ARN to be used for authentication.
           This is used for authentication in STS-enabled clusters.