From e0fc0d058ddf3cf8b12e232fc5a2e29108ad0a96 Mon Sep 17 00:00:00 2001 From: Luis Davim Date: Wed, 2 Aug 2023 13:14:06 +0100 Subject: [PATCH] fix: load AWS config and assume role Signed-off-by: Luis Davim --- velero-plugin-for-aws/object_store.go | 27 ++++----------------- velero-plugin-for-aws/volume_snapshotter.go | 10 ++++++-- 2 files changed, 13 insertions(+), 24 deletions(-) diff --git a/velero-plugin-for-aws/object_store.go b/velero-plugin-for-aws/object_store.go index b03a71c4..59bcfc9f 100644 --- a/velero-plugin-for-aws/object_store.go +++ b/velero-plugin-for-aws/object_store.go @@ -18,8 +18,6 @@ package main import ( "crypto/tls" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/service/sts" "io" "net/http" "os" @@ -30,7 +28,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/aws/session" @@ -268,9 +265,8 @@ func readCustomerKey(customerKeyEncryptionFile string) (string, error) { // newSessionOptions creates a session.Options with the given config and profile. If // caCert and credentialsFile are provided, these will be used for the CustomCABundle // and the credentials for the session. -func newSessionOptions(config aws.Config, profile string, caCert string, credentialsFile string, enableSharedConfig string) (session.Options, error) { +func newSessionOptions(config aws.Config, profile, caCert, credentialsFile, enableSharedConfig string) (session.Options, error) { sessionOptions := session.Options{Config: config, Profile: profile} - if caCert != "" { sessionOptions.CustomCABundle = strings.NewReader(caCert) } @@ -282,23 +278,10 @@ func newSessionOptions(config aws.Config, profile string, caCert string, credent } return session.Options{}, errors.Wrapf(err, "could not get credentialsFile info") } - sessionOptions.SharedConfigFiles = []string{credentialsFile} - - if sharedConfig, berr := strconv.ParseBool(enableSharedConfig); sharedConfig && berr == nil { - sessionOptions.SharedConfigState = session.SharedConfigEnable - } - } else if len(os.Getenv("AWS_ROLE_ARN")) > 0 { - // Assume we're running in a pod with a service account - sess := session.Must(session.NewSession()) - conf := config.WithCredentialsChainVerboseErrors(true). - WithCredentials(credentials.NewCredentials(stscreds.NewWebIdentityRoleProvider( - sts.New(sess), - os.Getenv("AWS_ROLE_ARN"), - "", - os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), - ))) - sessionOptions.Config = *conf + sessionOptions.SharedConfigFiles = append(sessionOptions.SharedConfigFiles, credentialsFile) + sessionOptions.SharedConfigState = session.SharedConfigEnable } + return sessionOptions, nil } @@ -314,7 +297,7 @@ func newAWSConfig(url, region string, forcePathStyle bool) (*aws.Config, error) awsConfig = awsConfig.WithEndpointResolver( endpoints.ResolverFunc(func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { - if service == endpoints.S3ServiceID { + if service == s3.EndpointsID { return endpoints.ResolvedEndpoint{ URL: url, }, nil diff --git a/velero-plugin-for-aws/volume_snapshotter.go b/velero-plugin-for-aws/volume_snapshotter.go index 5e50c178..28e7f203 100644 --- a/velero-plugin-for-aws/volume_snapshotter.go +++ b/velero-plugin-for-aws/volume_snapshotter.go @@ -24,6 +24,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ec2" "github.com/pkg/errors" @@ -37,14 +38,14 @@ import ( ) const ( - regionKey = "region" + regionKey = "region" ebsCSIDriver = "ebs.csi.aws.com" ) // iopsVolumeTypes is a set of AWS EBS volume types for which IOPS should // be captured during snapshot and provided when creating a new volume // from snapshot. -var iopsVolumeTypes = sets.NewString("io1","io2") +var iopsVolumeTypes = sets.NewString("io1", "io2") type VolumeSnapshotter struct { log logrus.FieldLogger @@ -58,9 +59,14 @@ func getSession(options session.Options) (*session.Session, error) { return nil, errors.WithStack(err) } + if len(os.Getenv("AWS_ROLE_ARN")) > 0 { + sess.Config.WithCredentials(stscreds.NewCredentials(sess, os.Getenv("AWS_ROLE_ARN"))) + } + if _, err := sess.Config.Credentials.Get(); err != nil { return nil, errors.WithStack(err) } + return sess, nil }