diff --git a/plugin.go b/plugin.go index 4b461e7..0892361 100644 --- a/plugin.go +++ b/plugin.go @@ -99,7 +99,7 @@ type Plugin struct { // set externalID for assume role ExternalID string - // set OIDC ID Token to retrieve temporary credentials + // set OIDC ID Token to retrieve temporary credentials IdToken string } @@ -434,55 +434,59 @@ func (p *Plugin) downloadS3Objects(client *s3.S3, sourceDir string) error { // createS3Client creates and returns an S3 client based on the plugin configuration func (p *Plugin) createS3Client() *s3.S3 { - conf := &aws.Config{ - Region: aws.String(p.Region), - Endpoint: &p.Endpoint, - DisableSSL: aws.Bool(strings.HasPrefix(p.Endpoint, "http://")), - S3ForcePathStyle: aws.Bool(p.PathStyle), - } - - sess, err := session.NewSession(conf) - if err != nil { - log.Fatalf("failed to create AWS session: %v", err) - } - - if p.Key != "" && p.Secret != "" { - conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "") - } else if p.IdToken != "" && p.AssumeRole != "" { - creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken) - if err != nil { - log.Fatalf("failed to assume role with web identity: %v", err) - } - conf.Credentials = creds - } else if p.AssumeRole != "" { - conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID) - } else { - log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)") - } - - client := s3.New(sess, conf) - - if len(p.UserRoleArn) > 0 { - confRoleArn := aws.Config{ - Region: aws.String(p.Region), - Credentials: stscreds.NewCredentials(sess, p.UserRoleArn), - } - client = s3.New(sess, &confRoleArn) - } - - return client + conf := &aws.Config{ + Region: aws.String(p.Region), + Endpoint: &p.Endpoint, + DisableSSL: aws.Bool(strings.HasPrefix(p.Endpoint, "http://")), + S3ForcePathStyle: aws.Bool(p.PathStyle), + } + + if p.Key != "" && p.Secret != "" { + conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "") + } else if p.IdToken != "" && p.AssumeRole != "" { + tempSess, err := session.NewSession(&aws.Config{Region: aws.String(p.Region)}) + if err != nil { + log.Fatalf("failed to create AWS session: %v", err) + } + creds, err := assumeRoleWithWebIdentity(tempSess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken) + if err != nil { + log.Fatalf("failed to assume role with web identity: %v", err) + } + conf.Credentials = creds + } else if p.AssumeRole != "" { + conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID) + } else { + log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)") + } + + sess, err := session.NewSession(conf) + if err != nil { + log.Fatalf("failed to create AWS session: %v", err) + } + + client := s3.New(sess) + + if len(p.UserRoleArn) > 0 { + confRoleArn := aws.Config{ + Region: aws.String(p.Region), + Credentials: stscreds.NewCredentials(sess, p.UserRoleArn), + } + client = s3.New(sess, &confRoleArn) + } + + return client } func assumeRoleWithWebIdentity(sess *session.Session, roleArn, roleSessionName, idToken string) (*credentials.Credentials, error) { - svc := sts.New(sess) - input := &sts.AssumeRoleWithWebIdentityInput{ - RoleArn: aws.String(roleArn), - RoleSessionName: aws.String(roleSessionName), - WebIdentityToken: aws.String(idToken), - } - result, err := svc.AssumeRoleWithWebIdentity(input) - if err != nil { - log.Fatalf("failed to assume role with web identity: %v", err) - } - return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil -} \ No newline at end of file + svc := sts.New(sess) + input := &sts.AssumeRoleWithWebIdentityInput{ + RoleArn: aws.String(roleArn), + RoleSessionName: aws.String(roleSessionName), + WebIdentityToken: aws.String(idToken), + } + result, err := svc.AssumeRoleWithWebIdentity(input) + if err != nil { + log.Fatalf("failed to assume role with web identity: %v", err) + } + return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil +}