fix: load AWS config and assume role

Signed-off-by: Luis Davim <[email protected]>
vmware-tanzu · Aug 2, 2023 · bd10b15 · bd10b15
1 parent e95ecde
commit bd10b15
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 25 deletions.
diff --git a/velero-plugin-for-aws/object_store.go b/velero-plugin-for-aws/object_store.go
@@ -18,8 +18,6 @@ package main
 
 import (
 	"crypto/tls"
-	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
-	"github.com/aws/aws-sdk-go/service/sts"
 	"io"
 	"net/http"
 	"os"
@@ -30,7 +28,6 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/session"
@@ -268,9 +265,8 @@ func readCustomerKey(customerKeyEncryptionFile string) (string, error) {
 // newSessionOptions creates a session.Options with the given config and profile. If
 // caCert and credentialsFile are provided, these will be used for the CustomCABundle
 // and the credentials for the session.
-func newSessionOptions(config aws.Config, profile string, caCert string, credentialsFile string, enableSharedConfig string) (session.Options, error) {
-	sessionOptions := session.Options{Config: config, Profile: profile}
-
+func newSessionOptions(config aws.Config, profile, caCert, credentialsFile, enableSharedConfig string) (session.Options, error) {
+	sessionOptions := session.Options{Config: config, Profile: profile, SharedConfigState: session.SharedConfigEnable}
 	if caCert != "" {
 		sessionOptions.CustomCABundle = strings.NewReader(caCert)
 	}
@@ -282,23 +278,9 @@ func newSessionOptions(config aws.Config, profile string, caCert string, credent
 			}
 			return session.Options{}, errors.Wrapf(err, "could not get credentialsFile info")
 		}
-		sessionOptions.SharedConfigFiles = []string{credentialsFile}
-
-		if sharedConfig, berr := strconv.ParseBool(enableSharedConfig); sharedConfig && berr == nil {
-			sessionOptions.SharedConfigState = session.SharedConfigEnable
-		}
-	} else if len(os.Getenv("AWS_ROLE_ARN")) > 0 {
-		// Assume we're running in a pod with a service account
-		sess := session.Must(session.NewSession())
-		conf := config.WithCredentialsChainVerboseErrors(true).
-			WithCredentials(credentials.NewCredentials(stscreds.NewWebIdentityRoleProvider(
-				sts.New(sess),
-				os.Getenv("AWS_ROLE_ARN"),
-				"",
-				os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"),
-			)))
-		sessionOptions.Config = *conf
+		sessionOptions.SharedConfigFiles = append(sessionOptions.SharedConfigFiles, credentialsFile)
 	}
+
 	return sessionOptions, nil
 }
 

diff --git a/velero-plugin-for-aws/volume_snapshotter.go b/velero-plugin-for-aws/volume_snapshotter.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/pkg/errors"
@@ -37,14 +38,14 @@ import (
 )
 
 const (
-	regionKey = "region"
+	regionKey    = "region"
 	ebsCSIDriver = "ebs.csi.aws.com"
 )
 
 // iopsVolumeTypes is a set of AWS EBS volume types for which IOPS should
 // be captured during snapshot and provided when creating a new volume
 // from snapshot.
-var iopsVolumeTypes = sets.NewString("io1","io2")
+var iopsVolumeTypes = sets.NewString("io1", "io2")
 
 type VolumeSnapshotter struct {
 	log logrus.FieldLogger
@@ -55,12 +56,17 @@ type VolumeSnapshotter struct {
 func getSession(options session.Options) (*session.Session, error) {
 	sess, err := session.NewSessionWithOptions(options)
 	if err != nil {
-		return nil, errors.WithStack(err)
+		return nil, fmt.Errorf("instantiating AWS session: %w", err)
+	}
+
+	if len(os.Getenv("AWS_ROLE_ARN")) > 0 {
+		sess.Config.WithCredentials(stscreds.NewCredentials(sess, os.Getenv("AWS_ROLE_ARN")))
 	}
 
 	if _, err := sess.Config.Credentials.Get(); err != nil {
 		return nil, errors.WithStack(err)
 	}
+
 	return sess, nil
 }