From 6953c8ce825956b025b9b3a8e9f0b63513cc8eb5 Mon Sep 17 00:00:00 2001 From: Luis Davim Date: Wed, 2 Aug 2023 13:14:06 +0100 Subject: [PATCH] fix: load AWS config and assume role Signed-off-by: Luis Davim --- velero-plugin-for-aws/object_store.go | 41 ++++++++++----------- velero-plugin-for-aws/volume_snapshotter.go | 18 +-------- 2 files changed, 21 insertions(+), 38 deletions(-) diff --git a/velero-plugin-for-aws/object_store.go b/velero-plugin-for-aws/object_store.go index b03a71c4..1cac5a7a 100644 --- a/velero-plugin-for-aws/object_store.go +++ b/velero-plugin-for-aws/object_store.go @@ -18,8 +18,6 @@ package main import ( "crypto/tls" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/service/sts" "io" "net/http" "os" @@ -30,7 +28,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/aws/session" @@ -268,9 +265,8 @@ func readCustomerKey(customerKeyEncryptionFile string) (string, error) { // newSessionOptions creates a session.Options with the given config and profile. If // caCert and credentialsFile are provided, these will be used for the CustomCABundle // and the credentials for the session. -func newSessionOptions(config aws.Config, profile string, caCert string, credentialsFile string, enableSharedConfig string) (session.Options, error) { +func newSessionOptions(config aws.Config, profile, caCert, credentialsFile, enableSharedConfig string) (session.Options, error) { sessionOptions := session.Options{Config: config, Profile: profile} - if caCert != "" { sessionOptions.CustomCABundle = strings.NewReader(caCert) } @@ -282,23 +278,10 @@ func newSessionOptions(config aws.Config, profile string, caCert string, credent } return session.Options{}, errors.Wrapf(err, "could not get credentialsFile info") } - sessionOptions.SharedConfigFiles = []string{credentialsFile} - - if sharedConfig, berr := strconv.ParseBool(enableSharedConfig); sharedConfig && berr == nil { - sessionOptions.SharedConfigState = session.SharedConfigEnable - } - } else if len(os.Getenv("AWS_ROLE_ARN")) > 0 { - // Assume we're running in a pod with a service account - sess := session.Must(session.NewSession()) - conf := config.WithCredentialsChainVerboseErrors(true). - WithCredentials(credentials.NewCredentials(stscreds.NewWebIdentityRoleProvider( - sts.New(sess), - os.Getenv("AWS_ROLE_ARN"), - "", - os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), - ))) - sessionOptions.Config = *conf + sessionOptions.SharedConfigFiles = append(sessionOptions.SharedConfigFiles, credentialsFile) + sessionOptions.SharedConfigState = session.SharedConfigEnable } + return sessionOptions, nil } @@ -314,7 +297,7 @@ func newAWSConfig(url, region string, forcePathStyle bool) (*aws.Config, error) awsConfig = awsConfig.WithEndpointResolver( endpoints.ResolverFunc(func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { - if service == endpoints.S3ServiceID { + if service == s3.EndpointsID { return endpoints.ResolvedEndpoint{ URL: url, }, nil @@ -328,6 +311,20 @@ func newAWSConfig(url, region string, forcePathStyle bool) (*aws.Config, error) return awsConfig, nil } +// takes AWS session options to create a new session +func getSession(options session.Options) (*session.Session, error) { + sess, err := session.NewSessionWithOptions(options) + if err != nil { + return nil, errors.WithStack(err) + } + + if _, err := sess.Config.Credentials.Get(); err != nil { + return nil, errors.WithStack(err) + } + + return sess, nil +} + func (o *ObjectStore) PutObject(bucket, key string, body io.Reader) error { req := &s3manager.UploadInput{ Bucket: &bucket, diff --git a/velero-plugin-for-aws/volume_snapshotter.go b/velero-plugin-for-aws/volume_snapshotter.go index 5e50c178..8d18a505 100644 --- a/velero-plugin-for-aws/volume_snapshotter.go +++ b/velero-plugin-for-aws/volume_snapshotter.go @@ -24,7 +24,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ec2" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -37,33 +36,20 @@ import ( ) const ( - regionKey = "region" + regionKey = "region" ebsCSIDriver = "ebs.csi.aws.com" ) // iopsVolumeTypes is a set of AWS EBS volume types for which IOPS should // be captured during snapshot and provided when creating a new volume // from snapshot. -var iopsVolumeTypes = sets.NewString("io1","io2") +var iopsVolumeTypes = sets.NewString("io1", "io2") type VolumeSnapshotter struct { log logrus.FieldLogger ec2 *ec2.EC2 } -// takes AWS session options to create a new session -func getSession(options session.Options) (*session.Session, error) { - sess, err := session.NewSessionWithOptions(options) - if err != nil { - return nil, errors.WithStack(err) - } - - if _, err := sess.Config.Credentials.Get(); err != nil { - return nil, errors.WithStack(err) - } - return sess, nil -} - func newVolumeSnapshotter(logger logrus.FieldLogger) *VolumeSnapshotter { return &VolumeSnapshotter{log: logger} }