From dbda5aece9cf3a899ec5276577475e2065c54fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrik=20Karlstr=C3=B6m?= Date: Wed, 8 Apr 2020 15:05:24 +0200 Subject: [PATCH] cloudwatch: Replicate SDK behaviour for WebIdentityRole (#21594) * Replicate SDK behaviour for WebIdentityRole Fix #20473 * Use WebIdentityRole in s3 uploader as well * Use consistent casing * use WebIdentityRole to assume another role Co-authored-by: eV --- pkg/components/imguploader/s3uploader.go | 12 ++++++++++++ pkg/tsdb/cloudwatch/credentials.go | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/pkg/components/imguploader/s3uploader.go b/pkg/components/imguploader/s3uploader.go index 3ed12e3c6f4..5a1e74b3890 100644 --- a/pkg/components/imguploader/s3uploader.go +++ b/pkg/components/imguploader/s3uploader.go @@ -10,10 +10,12 @@ import ( "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/credentials/endpointcreds" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/defaults" "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/s3/s3manager" + "github.com/aws/aws-sdk-go/service/sts" "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/util" ) @@ -57,6 +59,7 @@ func (u *S3Uploader) Upload(ctx context.Context, imageDiskPath string) (string, }}, &credentials.EnvProvider{}, remoteCredProvider(sess), + webIdentityProvider(sess), }) cfg := &aws.Config{ Region: aws.String(u.region), @@ -96,6 +99,15 @@ func (u *S3Uploader) Upload(ctx context.Context, imageDiskPath string) (string, return result.Location, nil } +func webIdentityProvider(sess *session.Session) credentials.Provider { + svc := sts.New(sess) + + roleARN := os.Getenv("AWS_ROLE_ARN") + tokenFilepath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") + roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME") + return stscreds.NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, tokenFilepath) +} + func remoteCredProvider(sess *session.Session) credentials.Provider { ecsCredURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI") diff --git a/pkg/tsdb/cloudwatch/credentials.go b/pkg/tsdb/cloudwatch/credentials.go index fa4ef619884..d2f3b81daa4 100644 --- a/pkg/tsdb/cloudwatch/credentials.go +++ b/pkg/tsdb/cloudwatch/credentials.go @@ -10,6 +10,7 @@ import ( "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/credentials/endpointcreds" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/defaults" "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/request" @@ -60,6 +61,7 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) { &credentials.EnvProvider{}, &credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile}, remoteCredProvider(stsSess), + webIdentityProvider(stsSess), }) stsConfig := &aws.Config{ Region: aws.String(dsInfo.Region), @@ -105,6 +107,7 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) { }}, &credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile}, remoteCredProvider(sess), + webIdentityProvider(sess), }) credentialCacheLock.Lock() @@ -117,6 +120,15 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) { return creds, nil } +func webIdentityProvider(sess *session.Session) credentials.Provider { + svc := sts.New(sess) + + roleARN := os.Getenv("AWS_ROLE_ARN") + tokenFilepath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") + roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME") + return stscreds.NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, tokenFilepath) +} + func remoteCredProvider(sess *session.Session) credentials.Provider { ecsCredURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")