feat: Add AWS instance identity authentication (#570)

* feat: Add AWS instance identity authentication

This allows zero-trust authentication for all AWS instances.

Prior to this, AWS instances could be used by passing `CODER_TOKEN`
as an environment variable to the startup script. AWS explicitly
states that secrets should not be passed in startup scripts because
it's user-readable.

* Fix sha256 verbosity

* Fix HTTP client being exposed on auth

cli/workspaceagent.go

@@ -2,6 +2,7 @@ package cli
 
 import (
 	"context"
+	"net/http"
 	"net/url"
 	"time"
 
@@ -39,6 +40,11 @@ func workspaceAgent() *cobra.Command {
 			}
 			logger := slog.Make(sloghuman.Sink(cmd.OutOrStdout())).Leveled(slog.LevelDebug)
 			client := codersdk.New(coderURL)
+
+			// exchangeToken returns a session token.
+			// This is abstracted to allow for the same looping condition
+			// regardless of instance identity auth type.
+			var exchangeToken func(context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error)
 			switch auth {
 			case "token":
 				if token == "" {
@@ -53,29 +59,51 @@ func workspaceAgent() *cobra.Command {
 				if gcpClientRaw != nil {
 					gcpClient, _ = gcpClientRaw.(*metadata.Client)
 				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceGoogleInstanceIdentity(ctx, "", gcpClient)
+				}
+			case "aws-instance-identity":
+				// This is *only* done for testing to mock client authentication.
+				// This will never be set in a production scenario.
+				var awsClient *http.Client
+				awsClientRaw := cmd.Context().Value("aws-client")
+				if awsClientRaw != nil {
+					awsClient, _ = awsClientRaw.(*http.Client)
+					if awsClient != nil {
+						client.HTTPClient = awsClient
+					}
+				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceAWSInstanceIdentity(ctx)
+				}
+			case "azure-instance-identity":
+				return xerrors.Errorf("not implemented")
+			}
 
-				ctx, cancelFunc := context.WithTimeout(cmd.Context(), 30*time.Second)
+			if exchangeToken != nil {
+				// Agent's can start before resources are returned from the provisioner
+				// daemon. If there are many resources being provisioned, this time
+				// could be significant. This is arbitrarily set at an hour to prevent
+				// tons of idle agents from pinging coderd.
+				ctx, cancelFunc := context.WithTimeout(cmd.Context(), time.Hour)
 				defer cancelFunc()
 				for retry.New(100*time.Millisecond, 5*time.Second).Wait(ctx) {
 					var response codersdk.WorkspaceAgentAuthenticateResponse
 
-					response, err = client.AuthWorkspaceGoogleInstanceIdentity(ctx, "", gcpClient)
+					response, err = exchangeToken(ctx)
 					if err != nil {
-						logger.Warn(ctx, "authenticate workspace with Google Instance Identity", slog.Error(err))
+						logger.Warn(ctx, "authenticate workspace", slog.F("method", auth), slog.Error(err))
 						continue
 					}
 					client.SessionToken = response.SessionToken
-					logger.Info(ctx, "authenticated with Google Instance Identity")
+					logger.Info(ctx, "authenticated", slog.F("method", auth))
 					break
 				}
 				if err != nil {
 					return xerrors.Errorf("agent failed to authenticate in time: %w", err)
 				}
-			case "aws-instance-identity":
-				return xerrors.Errorf("not implemented")
-			case "azure-instance-identity":
-				return xerrors.Errorf("not implemented")
 			}
+
 			closer := agent.New(client.ListenWorkspaceAgent, &peer.ConnOptions{
 				Logger: logger,
 			})