Consume AWS session token for Stow (#296)

Pass AWS session token from secret or environment variable to Stow configmap. * Consume AWS session token. * Update the test. * Update the go mod files.
kanisterio · Sep 17, 2019 · 0812700 · 0812700
1 parent 1edcd0f
commit 0812700
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.12
 
 replace (
 	cloud.google.com/go => github.com/GoogleCloudPlatform/google-cloud-go v0.1.1-0.20160913182117-3b1ae45394a2
-	github.com/graymeta/stow => github.com/kastenhq/stow v0.1.1-kasten
+	github.com/graymeta/stow => github.com/kastenhq/stow v0.1.2-kasten
 	github.com/rook/operator-kit => github.com/kastenhq/operator-kit v0.0.0-20180316185208-859e831cc18d
 )
 

diff --git a/go.sum b/go.sum
@@ -143,6 +143,8 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kastenhq/stow v0.1.1-kasten h1:0IuykRy/KfqUttO2n6w3XTJzyFhSThXeE5UtKvstmYs=
 github.com/kastenhq/stow v0.1.1-kasten/go.mod h1:ABI2whmZOX25JbmbVuHRLFuPiGnv5lxXhduCtof7UHk=
+github.com/kastenhq/stow v0.1.2-kasten h1:3msAbg6woEPWzYaBPmsOY4a0V55QosWD86XMOE+gDbM=
+github.com/kastenhq/stow v0.1.2-kasten/go.mod h1:ABI2whmZOX25JbmbVuHRLFuPiGnv5lxXhduCtof7UHk=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=

diff --git a/pkg/objectstore/objectstore.go b/pkg/objectstore/objectstore.go
@@ -112,13 +112,14 @@ func Supported(t ProviderType) bool {
 }
 
 func s3Config(config ProviderConfig, secret *Secret, region string) (stowKind string, stowConfig stow.Config, err error) {
-	var awsAccessKeyID, awsSecretAccessKey string
+	var awsAccessKeyID, awsSecretAccessKey, awsSessionToken string
 	if secret != nil {
 		if secret.Type != SecretTypeAwsAccessKey {
 			return "", nil, errors.Errorf("invalid secret type %s", secret.Type)
 		}
 		awsAccessKeyID = secret.Aws.AccessKeyID
 		awsSecretAccessKey = secret.Aws.SecretAccessKey
+		awsSessionToken = secret.Aws.SessionToken
 	} else {
 		var ok bool
 		if awsAccessKeyID, ok = os.LookupEnv("AWS_ACCESS_KEY_ID"); !ok {
@@ -127,10 +128,12 @@ func s3Config(config ProviderConfig, secret *Secret, region string) (stowKind st
 		if awsSecretAccessKey, ok = os.LookupEnv("AWS_SECRET_ACCESS_KEY"); !ok {
 			return "", nil, errors.New("AWS_SECRET_ACCESS_KEY environment not set")
 		}
+		awsSessionToken = os.Getenv("AWS_SESSION_TOKEN")
 	}
 	cm := stow.ConfigMap{
 		stows3.ConfigAccessKeyID: awsAccessKeyID,
 		stows3.ConfigSecretKey:   awsSecretAccessKey,
+		stows3.ConfigToken:       awsSessionToken,
 	}
 	if region != "" {
 		cm[stows3.ConfigRegion] = region

diff --git a/pkg/objectstore/objectstore_test.go b/pkg/objectstore/objectstore_test.go
@@ -455,6 +455,7 @@ func getSecret(c *C, osType ProviderType) *Secret {
 		secret.Aws = &SecretAws{
 			AccessKeyID:     os.Getenv("AWS_ACCESS_KEY_ID"),
 			SecretAccessKey: os.Getenv("AWS_SECRET_ACCESS_KEY"),
+			SessionToken:    os.Getenv("AWS_SESSION_TOKEN"),
 		}
 		c.Check(secret.Aws.AccessKeyID, Not(Equals), "")
 		c.Check(secret.Aws.SecretAccessKey, Not(Equals), "")