mirror of
https://github.com/opentofu/opentofu.git
synced 2024-12-30 10:47:14 -06:00
Support standard AWS config in the S3 remote backend. (#5270)
This commit is contained in:
parent
2476dcbcae
commit
14f6f90621
@ -10,12 +10,11 @@ import (
|
|||||||
|
|
||||||
"github.com/aws/aws-sdk-go/aws"
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
"github.com/aws/aws-sdk-go/aws/awserr"
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
||||||
"github.com/aws/aws-sdk-go/aws/credentials"
|
|
||||||
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
|
|
||||||
"github.com/aws/aws-sdk-go/aws/ec2metadata"
|
|
||||||
"github.com/aws/aws-sdk-go/aws/session"
|
"github.com/aws/aws-sdk-go/aws/session"
|
||||||
"github.com/aws/aws-sdk-go/service/s3"
|
"github.com/aws/aws-sdk-go/service/s3"
|
||||||
"github.com/hashicorp/go-cleanhttp"
|
"github.com/hashicorp/go-cleanhttp"
|
||||||
|
"github.com/hashicorp/go-multierror"
|
||||||
|
terraformAws "github.com/hashicorp/terraform/builtin/providers/aws"
|
||||||
)
|
)
|
||||||
|
|
||||||
func s3Factory(conf map[string]string) (Client, error) {
|
func s3Factory(conf map[string]string) (Client, error) {
|
||||||
@ -60,29 +59,24 @@ func s3Factory(conf map[string]string) (Client, error) {
|
|||||||
}
|
}
|
||||||
kmsKeyID := conf["kms_key_id"]
|
kmsKeyID := conf["kms_key_id"]
|
||||||
|
|
||||||
accessKeyId := conf["access_key"]
|
var errs []error
|
||||||
secretAccessKey := conf["secret_key"]
|
creds := terraformAws.GetCredentials(conf["access_key"], conf["secret_key"], conf["token"], conf["profile"], conf["shared_credentials_file"])
|
||||||
|
// Call Get to check for credential provider. If nothing found, we'll get an
|
||||||
credentialsProvider := credentials.NewChainCredentials([]credentials.Provider{
|
// error, and we can present it nicely to the user
|
||||||
&credentials.StaticProvider{Value: credentials.Value{
|
_, err := creds.Get()
|
||||||
AccessKeyID: accessKeyId,
|
|
||||||
SecretAccessKey: secretAccessKey,
|
|
||||||
SessionToken: "",
|
|
||||||
}},
|
|
||||||
&credentials.EnvProvider{},
|
|
||||||
&credentials.SharedCredentialsProvider{Filename: "", Profile: ""},
|
|
||||||
&ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(session.New())},
|
|
||||||
})
|
|
||||||
|
|
||||||
// Make sure we got some sort of working credentials.
|
|
||||||
_, err := credentialsProvider.Get()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("Unable to determine AWS credentials. Set the AWS_ACCESS_KEY_ID and "+
|
if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
|
||||||
"AWS_SECRET_ACCESS_KEY environment variables.\n(error was: %s)", err)
|
errs = append(errs, fmt.Errorf(`No valid credential sources found for AWS S3 remote.
|
||||||
|
Please see https://www.terraform.io/docs/state/remote/s3.html for more information on
|
||||||
|
providing credentials for the AWS S3 remote`))
|
||||||
|
} else {
|
||||||
|
errs = append(errs, fmt.Errorf("Error loading credentials for AWS S3 remote: %s", err))
|
||||||
|
}
|
||||||
|
return nil, &multierror.Error{Errors: errs}
|
||||||
}
|
}
|
||||||
|
|
||||||
awsConfig := &aws.Config{
|
awsConfig := &aws.Config{
|
||||||
Credentials: credentialsProvider,
|
Credentials: creds,
|
||||||
Endpoint: aws.String(endpoint),
|
Endpoint: aws.String(endpoint),
|
||||||
Region: aws.String(regionName),
|
Region: aws.String(regionName),
|
||||||
HTTPClient: cleanhttp.DefaultClient(),
|
HTTPClient: cleanhttp.DefaultClient(),
|
||||||
|
@ -56,3 +56,6 @@ The following configuration options / environment variables are supported:
|
|||||||
* `access_key` / `AWS_ACCESS_KEY_ID` - (Optional) AWS access key
|
* `access_key` / `AWS_ACCESS_KEY_ID` - (Optional) AWS access key
|
||||||
* `secret_key` / `AWS_SECRET_ACCESS_KEY` - (Optional) AWS secret key
|
* `secret_key` / `AWS_SECRET_ACCESS_KEY` - (Optional) AWS secret key
|
||||||
* `kms_key_id` - (Optional) The ARN of a KMS Key to use for encrypting the state.
|
* `kms_key_id` - (Optional) The ARN of a KMS Key to use for encrypting the state.
|
||||||
|
* `profile` - (Optional) This is the AWS profile name as set in the shared credentials file.
|
||||||
|
* `shared_credentials_file` - (Optional) This is the path to the shared credentials file. If this is not set and a profile is specified, ~/.aws/credentials will be used.
|
||||||
|
* `token` - (Optional) Use this to set an MFA token. It can also be sourced from the `AWS_SECURITY_TOKEN` environment variable.
|
||||||
|
Loading…
Reference in New Issue
Block a user