From d0851fc9c08665e294e6b6b4a5fd82880f57c676 Mon Sep 17 00:00:00 2001 From: "OP (oppenheimer)" <21008429+Ompragash@users.noreply.github.com> Date: Mon, 30 Sep 2024 20:41:18 +0530 Subject: [PATCH 1/2] Update plugin.go --- plugin.go | 118 +++++++++++++++++++++++------------------------------- 1 file changed, 49 insertions(+), 69 deletions(-) diff --git a/plugin.go b/plugin.go index 7a7301e..b2eed3f 100644 --- a/plugin.go +++ b/plugin.go @@ -29,7 +29,6 @@ type Plugin struct { AssumeRoleSessionName string Bucket string UserRoleArn string - UserRoleExternalID string // New field for UserRoleArn ExternalID // if not "", enable server-side encryption // valid values are: @@ -100,7 +99,7 @@ type Plugin struct { // set externalID for assume role ExternalID string - // set OIDC ID Token to retrieve temporary credentials + // set OIDC ID Token to retrieve temporary credentials IdToken string } @@ -435,79 +434,60 @@ func (p *Plugin) downloadS3Objects(client *s3.S3, sourceDir string) error { // createS3Client creates and returns an S3 client based on the plugin configuration func (p *Plugin) createS3Client() *s3.S3 { - conf := &aws.Config{ - Region: aws.String(p.Region), - Endpoint: &p.Endpoint, - DisableSSL: aws.Bool(strings.HasPrefix(p.Endpoint, "http://")), - S3ForcePathStyle: aws.Bool(p.PathStyle), - } - - sess, err := session.NewSession(conf) - if err != nil { - log.Fatalf("failed to create AWS session: %v", err) - } - - if p.Key != "" && p.Secret != "" { - conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "") - } else if p.IdToken != "" && p.AssumeRole != "" { - creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken) - if err != nil { - log.Fatalf("failed to assume role with web identity: %v", err) - } - conf.Credentials = creds - } else if p.AssumeRole != "" { - conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID) - } else { - log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)") - } + conf := &aws.Config{ + Region: aws.String(p.Region), + Endpoint: &p.Endpoint, + DisableSSL: aws.Bool(strings.HasPrefix(p.Endpoint, "http://")), + S3ForcePathStyle: aws.Bool(p.PathStyle), + } + + sess, err := session.NewSession(conf) + if err != nil { + log.Fatalf("failed to create AWS session: %v", err) + } + + if p.Key != "" && p.Secret != "" { + conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "") + } else if p.IdToken != "" && p.AssumeRole != "" { + creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken) + if err != nil { + log.Fatalf("failed to assume role with web identity: %v", err) + } + conf.Credentials = creds + } else if p.AssumeRole != "" { + conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID) + } else { + log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)") + } sess, err = session.NewSession(conf) - if err != nil { - log.Fatalf("failed to create AWS session: %v", err) - } + if err != nil { + log.Fatalf("failed to create AWS session: %v", err) + } - client := s3.New(sess, conf) + client := s3.New(sess, conf) - if len(p.UserRoleArn) > 0 { - log.WithFields(log.Fields{ - "UserRoleArn": p.UserRoleArn, - }).Info("Assuming user role ARN") - - // Create new credentials by assuming the UserRoleArn with ExternalID - creds := stscreds.NewCredentials(sess, p.UserRoleArn, func(provider *stscreds.AssumeRoleProvider) { - if p.UserRoleExternalID != "" { - provider.ExternalID = aws.String(p.UserRoleExternalID) - } - }) - - // Create a new session with the new credentials - confWithUserRole := &aws.Config{ - Region: aws.String(p.Region), - Credentials: creds, - } - - sessWithUserRole, err := session.NewSession(confWithUserRole) - if err != nil { - log.Fatalf("failed to create AWS session with user role: %v", err) - } - - client = s3.New(sessWithUserRole) - } - - return client + if len(p.UserRoleArn) > 0 { + confRoleArn := aws.Config{ + Region: aws.String(p.Region), + Credentials: stscreds.NewCredentials(sess, p.UserRoleArn), + } + client = s3.New(sess, &confRoleArn) + } + return client } func assumeRoleWithWebIdentity(sess *session.Session, roleArn, roleSessionName, idToken string) (*credentials.Credentials, error) { - svc := sts.New(sess) - input := &sts.AssumeRoleWithWebIdentityInput{ - RoleArn: aws.String(roleArn), - RoleSessionName: aws.String(roleSessionName), - WebIdentityToken: aws.String(idToken), - } - result, err := svc.AssumeRoleWithWebIdentity(input) - if err != nil { - log.Fatalf("failed to assume role with web identity: %v", err) - } - return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil + svc := sts.New(sess) + input := &sts.AssumeRoleWithWebIdentityInput{ + RoleArn: aws.String(roleArn), + RoleSessionName: aws.String(roleSessionName), + WebIdentityToken: aws.String(idToken), + } + result, err := svc.AssumeRoleWithWebIdentity(input) + if err != nil { + log.Fatalf("failed to assume role with web identity: %v", err) + } + return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil } From 8dc3a28a8782bca9f888c60607244ae2b73e0981 Mon Sep 17 00:00:00 2001 From: "OP (oppenheimer)" <21008429+Ompragash@users.noreply.github.com> Date: Mon, 30 Sep 2024 20:44:26 +0530 Subject: [PATCH 2/2] Update main.go --- main.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/main.go b/main.go index 628963d..df4f859 100644 --- a/main.go +++ b/main.go @@ -52,11 +52,6 @@ func main() { Usage: "AWS user role", EnvVar: "PLUGIN_USER_ROLE_ARN,AWS_USER_ROLE_ARN", }, - cli.StringFlag{ - Name: "user-role-external-id", - Usage: "external ID to use when assuming secondary role", - EnvVar: "PLUGIN_USER_ROLE_EXTERNAL_ID", - }, cli.StringFlag{ Name: "bucket", Usage: "aws bucket", @@ -171,7 +166,6 @@ func run(c *cli.Context) error { AssumeRoleSessionName: c.String("assume-role-session-name"), Bucket: c.String("bucket"), UserRoleArn: c.String("user-role-arn"), - UserRoleExternalID: c.String("user-role-external-id"), Region: c.String("region"), Access: c.String("acl"), Source: c.String("source"),