Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [CI-14134]: fix upload to s3 artifact when cross account role is… #165

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: [CI-14134]: fix upload to s3 artifact when cross account role is… #165

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c8f494f
fix: [CI-14134]: fix upload to s3 artifact when cross account role is…
abhay084 Sep 12, 2024
172fd6c
fix: [CI-14134]: fix
abhay084 Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 54 additions & 50 deletions plugin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ type Plugin struct {
// set externalID for assume role
ExternalID string

// set OIDC ID Token to retrieve temporary credentials
// set OIDC ID Token to retrieve temporary credentials
IdToken string
}

Expand Down Expand Up @@ -434,55 +434,59 @@ func (p *Plugin) downloadS3Objects(client *s3.S3, sourceDir string) error {

// createS3Client creates and returns an S3 client based on the plugin configuration
func (p *Plugin) createS3Client() *s3.S3 {
conf := &aws.Config{
Region: aws.String(p.Region),
Endpoint: &p.Endpoint,
DisableSSL: aws.Bool(strings.HasPrefix(p.Endpoint, "http://")),
S3ForcePathStyle: aws.Bool(p.PathStyle),
}

sess, err := session.NewSession(conf)
if err != nil {
log.Fatalf("failed to create AWS session: %v", err)
}

if p.Key != "" && p.Secret != "" {
conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
} else if p.IdToken != "" && p.AssumeRole != "" {
creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken)
if err != nil {
log.Fatalf("failed to assume role with web identity: %v", err)
}
conf.Credentials = creds
} else if p.AssumeRole != "" {
conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
} else {
log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
}

client := s3.New(sess, conf)

if len(p.UserRoleArn) > 0 {
confRoleArn := aws.Config{
Region: aws.String(p.Region),
Credentials: stscreds.NewCredentials(sess, p.UserRoleArn),
}
client = s3.New(sess, &confRoleArn)
}

return client
conf := &aws.Config{
Region: aws.String(p.Region),
Endpoint: &p.Endpoint,
DisableSSL: aws.Bool(strings.HasPrefix(p.Endpoint, "http://")),
S3ForcePathStyle: aws.Bool(p.PathStyle),
}

if p.Key != "" && p.Secret != "" {
conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
} else if p.IdToken != "" && p.AssumeRole != "" {
tempSess, err := session.NewSession(&aws.Config{Region: aws.String(p.Region)})
Copy link

@Sapa96 Sapa96 Sep 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why cant we create tempSess with conf directly like this ?
tempSess, err := session.NewSession(conf)

if err != nil {
log.Fatalf("failed to create AWS session: %v", err)
}
creds, err := assumeRoleWithWebIdentity(tempSess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken)
if err != nil {
log.Fatalf("failed to assume role with web identity: %v", err)
}
conf.Credentials = creds
} else if p.AssumeRole != "" {
conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
} else {
log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
}

sess, err := session.NewSession(conf)
if err != nil {
log.Fatalf("failed to create AWS session: %v", err)
}

client := s3.New(sess)

if len(p.UserRoleArn) > 0 {
confRoleArn := aws.Config{
Region: aws.String(p.Region),
Credentials: stscreds.NewCredentials(sess, p.UserRoleArn),
}
client = s3.New(sess, &confRoleArn)
}

return client
}

func assumeRoleWithWebIdentity(sess *session.Session, roleArn, roleSessionName, idToken string) (*credentials.Credentials, error) {
svc := sts.New(sess)
input := &sts.AssumeRoleWithWebIdentityInput{
RoleArn: aws.String(roleArn),
RoleSessionName: aws.String(roleSessionName),
WebIdentityToken: aws.String(idToken),
}
result, err := svc.AssumeRoleWithWebIdentity(input)
if err != nil {
log.Fatalf("failed to assume role with web identity: %v", err)
}
return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil
}
svc := sts.New(sess)
input := &sts.AssumeRoleWithWebIdentityInput{
RoleArn: aws.String(roleArn),
RoleSessionName: aws.String(roleSessionName),
WebIdentityToken: aws.String(idToken),
}
result, err := svc.AssumeRoleWithWebIdentity(input)
if err != nil {
log.Fatalf("failed to assume role with web identity: %v", err)
}
return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil
}