diff --git a/velero-plugin-for-aws/object_store.go b/velero-plugin-for-aws/object_store.go index b03a71c..ace9f40 100644 --- a/velero-plugin-for-aws/object_store.go +++ b/velero-plugin-for-aws/object_store.go @@ -18,8 +18,6 @@ package main import ( "crypto/tls" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/service/sts" "io" "net/http" "os" @@ -30,7 +28,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/aws/session" @@ -268,9 +265,8 @@ func readCustomerKey(customerKeyEncryptionFile string) (string, error) { // newSessionOptions creates a session.Options with the given config and profile. If // caCert and credentialsFile are provided, these will be used for the CustomCABundle // and the credentials for the session. -func newSessionOptions(config aws.Config, profile string, caCert string, credentialsFile string, enableSharedConfig string) (session.Options, error) { - sessionOptions := session.Options{Config: config, Profile: profile} - +func newSessionOptions(config aws.Config, profile, caCert, credentialsFile, enableSharedConfig string) (session.Options, error) { + sessionOptions := session.Options{Config: config, Profile: profile, SharedConfigState: session.SharedConfigEnable} if caCert != "" { sessionOptions.CustomCABundle = strings.NewReader(caCert) } @@ -282,23 +278,9 @@ func newSessionOptions(config aws.Config, profile string, caCert string, credent } return session.Options{}, errors.Wrapf(err, "could not get credentialsFile info") } - sessionOptions.SharedConfigFiles = []string{credentialsFile} - - if sharedConfig, berr := strconv.ParseBool(enableSharedConfig); sharedConfig && berr == nil { - sessionOptions.SharedConfigState = session.SharedConfigEnable - } - } else if len(os.Getenv("AWS_ROLE_ARN")) > 0 { - // Assume we're running in a pod with a service account - sess := session.Must(session.NewSession()) - conf := config.WithCredentialsChainVerboseErrors(true). - WithCredentials(credentials.NewCredentials(stscreds.NewWebIdentityRoleProvider( - sts.New(sess), - os.Getenv("AWS_ROLE_ARN"), - "", - os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), - ))) - sessionOptions.Config = *conf + sessionOptions.SharedConfigFiles = append(sessionOptions.SharedConfigFiles, credentialsFile) } + return sessionOptions, nil } diff --git a/velero-plugin-for-aws/volume_snapshotter.go b/velero-plugin-for-aws/volume_snapshotter.go index 5e50c17..dbf0a26 100644 --- a/velero-plugin-for-aws/volume_snapshotter.go +++ b/velero-plugin-for-aws/volume_snapshotter.go @@ -24,6 +24,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ec2" "github.com/pkg/errors" @@ -37,14 +38,14 @@ import ( ) const ( - regionKey = "region" + regionKey = "region" ebsCSIDriver = "ebs.csi.aws.com" ) // iopsVolumeTypes is a set of AWS EBS volume types for which IOPS should // be captured during snapshot and provided when creating a new volume // from snapshot. -var iopsVolumeTypes = sets.NewString("io1","io2") +var iopsVolumeTypes = sets.NewString("io1", "io2") type VolumeSnapshotter struct { log logrus.FieldLogger @@ -55,12 +56,17 @@ type VolumeSnapshotter struct { func getSession(options session.Options) (*session.Session, error) { sess, err := session.NewSessionWithOptions(options) if err != nil { - return nil, errors.WithStack(err) + return nil, fmt.Errorf("instantiating AWS session: %w", err) + } + + if len(os.Getenv("AWS_ROLE_ARN")) > 0 { + sess.Config.WithCredentials(stscreds.NewCredentials(sess, os.Getenv("AWS_ROLE_ARN"))) } if _, err := sess.Config.Credentials.Get(); err != nil { return nil, errors.WithStack(err) } + return sess, nil }