Merge pull request #208 from kanisterio/get-caller-identity

EFS provider will use STS instead of IAM. IAM.GetUser() cannot be used with roles without giving the user ID as an argument. STS.GetCallerIdentity() supports roles and users without giving any arguments. * Removes IAM calls. * Adds STS call to get account ID.
kanisterio · Aug 15, 2019 · 0041a02 · 0041a02
2 parents e7e0eea + 43ef788
commit 0041a02
Showing 1 changed file with 6 additions and 11 deletions.
diff --git a/pkg/blockstorage/awsefs/awsefs.go b/pkg/blockstorage/awsefs/awsefs.go
@@ -6,11 +6,10 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
-	awsarn "github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/backup"
 	awsefs "github.com/aws/aws-sdk-go/service/efs"
-	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/pkg/errors"
 	uuid "github.com/satori/go.uuid"
 	"k8s.io/apimachinery/pkg/util/rand"
@@ -53,19 +52,15 @@ func NewEFSProvider(config map[string]string) (blockstorage.Provider, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "Failed to create session for EFS")
 	}
-	iamCli := iam.New(s, aws.NewConfig().WithRegion(region))
-	user, err := iamCli.GetUser(&iam.GetUserInput{})
+	stsCli := sts.New(s, aws.NewConfig().WithRegion(region))
+	user, err := stsCli.GetCallerIdentity(&sts.GetCallerIdentityInput{})
 	if err != nil {
 		return nil, errors.Wrap(err, "Failed to get user")
 	}
-	if user.User == nil {
-		return nil, errors.New("Failed to infer user from credentials")
+	if user.Account == nil {
+		return nil, errors.New("Account ID is empty")
 	}
-	userARN, err := awsarn.Parse(*user.User.Arn)
-	if err != nil {
-		return nil, err
-	}
-	accountID := userARN.AccountID
+	accountID := *user.Account
 	efsCli := awsefs.New(s, aws.NewConfig().WithRegion(region))
 	backupCli := backup.New(s, aws.NewConfig().WithRegion(region))
 	return &efs{