IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

cloudwatch: Replicate SDK behaviour for WebIdentityRole (#21594)

Browse Source 
* Replicate SDK behaviour for WebIdentityRole

Fix #20473

* Use WebIdentityRole in s3 uploader as well

* Use consistent casing

* use WebIdentityRole to assume another role

Co-authored-by: eV <ev@7pr.xyz>
This commit is contained in:
Patrik Karlström 2020-04-08 15:05:24 +02:00 committed by GitHub
parent 431f454d57
commit dbda5aece9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/components/imguploader/s3uploader.go
View File

@ -10,10 +10,12 @@ import (
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3/s3manager"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/util"
)
@ -57,6 +59,7 @@ func (u *S3Uploader) Upload(ctx context.Context, imageDiskPath string) (string,
}},
&credentials.EnvProvider{},
remoteCredProvider(sess),
webIdentityProvider(sess),
})
cfg := &aws.Config{
Region: aws.String(u.region),
@ -96,6 +99,15 @@ func (u *S3Uploader) Upload(ctx context.Context, imageDiskPath string) (string,
return result.Location, nil
}
func webIdentityProvider(sess *session.Session) credentials.Provider {
svc := sts.New(sess)
roleARN := os.Getenv("AWS_ROLE_ARN")
tokenFilepath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
return stscreds.NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, tokenFilepath)
}
func remoteCredProvider(sess *session.Session) credentials.Provider {
ecsCredURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")

12
pkg/tsdb/cloudwatch/credentials.go
View File

@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/request"
@ -60,6 +61,7 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) {
&credentials.EnvProvider{},
&credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile},
remoteCredProvider(stsSess),
webIdentityProvider(stsSess),
})
stsConfig := &aws.Config{
Region: aws.String(dsInfo.Region),
@ -105,6 +107,7 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) {
}},
&credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile},
remoteCredProvider(sess),
webIdentityProvider(sess),
})
credentialCacheLock.Lock()
@ -117,6 +120,15 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) {
return creds, nil
}
func webIdentityProvider(sess *session.Session) credentials.Provider {
svc := sts.New(sess)
roleARN := os.Getenv("AWS_ROLE_ARN")
tokenFilepath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
return stscreds.NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, tokenFilepath)
}
func remoteCredProvider(sess *session.Session) credentials.Provider {
ecsCredURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")