Update getOSSecret to use Secret credentials in AWS (#309)

* Update getOSSecret to use Secret credentials in AWS * Create credentials with session token support * Inline the session token check * Review updates
kanisterio · Sep 20, 2019 · 2192605 · 2192605
1 parent 9178d4c
commit 2192605
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 6 deletions.
diff --git a/pkg/location/location.go b/pkg/location/location.go
@@ -24,6 +24,7 @@ import (
 	crv1alpha1 "github.com/kanisterio/kanister/pkg/apis/cr/v1alpha1"
 	"github.com/kanisterio/kanister/pkg/objectstore"
 	"github.com/kanisterio/kanister/pkg/param"
+	"github.com/kanisterio/kanister/pkg/secrets"
 )
 
 const (
@@ -144,11 +145,7 @@ func getOSSecret(pType objectstore.ProviderType, cred param.Credential) (*object
 	secret := &objectstore.Secret{}
 	switch pType {
 	case objectstore.ProviderTypeS3:
-		secret.Type = objectstore.SecretTypeAwsAccessKey
-		secret.Aws = &objectstore.SecretAws{
-			AccessKeyID:     cred.KeyPair.ID,
-			SecretAccessKey: cred.KeyPair.Secret,
-		}
+		return getAWSSecret(cred)
 	case objectstore.ProviderTypeGCS:
 		secret.Type = objectstore.SecretTypeGcpServiceAccountKey
 		secret.Gcp = &objectstore.SecretGcp{
@@ -166,3 +163,30 @@ func getOSSecret(pType objectstore.ProviderType, cred param.Credential) (*object
 	}
 	return secret, nil
 }
+
+func getAWSSecret(cred param.Credential) (*objectstore.Secret, error) {
+	os := &objectstore.Secret{
+		Type: objectstore.SecretTypeAwsAccessKey,
+	}
+	switch cred.Type {
+	case param.CredentialTypeKeyPair:
+		os.Aws = &objectstore.SecretAws{
+			AccessKeyID:     cred.KeyPair.ID,
+			SecretAccessKey: cred.KeyPair.Secret,
+		}
+		return os, nil
+	case param.CredentialTypeSecret:
+		creds, err := secrets.ExtractAWSCredentials(cred.Secret)
+		if err != nil {
+			return nil, err
+		}
+		os.Aws = &objectstore.SecretAws{
+			AccessKeyID:     creds.AccessKeyID,
+			SecretAccessKey: creds.SecretAccessKey,
+			SessionToken:    creds.SessionToken,
+		}
+		return os, nil
+	default:
+		return nil, errors.Errorf("Unsupported type '%s' for credential", cred.Type)
+	}
+}
diff --git a/pkg/testutil/fixture.go b/pkg/testutil/fixture.go
@@ -22,6 +22,7 @@ import (
 	"golang.org/x/oauth2/google"
 	compute "google.golang.org/api/compute/v1"
 	"gopkg.in/check.v1"
+	v1 "k8s.io/api/core/v1"
 
 	crv1alpha1 "github.com/kanisterio/kanister/pkg/apis/cr/v1alpha1"
 	"github.com/kanisterio/kanister/pkg/blockstorage"
@@ -37,11 +38,13 @@ const (
 
 func ObjectStoreProfileOrSkip(c *check.C, osType objectstore.ProviderType, location crv1alpha1.Location) *param.Profile {
 	var key, val string
-
 	switch osType {
 	case objectstore.ProviderTypeS3:
 		key = GetEnvOrSkip(c, awsconfig.AccessKeyID)
 		val = GetEnvOrSkip(c, awsconfig.SecretAccessKey)
+		if session, ok := os.LookupEnv(awsconfig.SessionToken); ok {
+			return s3ProfileWithSecretCredential(location, key, val, session)
+		}
 	case objectstore.ProviderTypeGCS:
 		GetEnvOrSkip(c, blockstorage.GoogleCloudCreds)
 		creds, err := google.FindDefaultCredentials(context.Background(), compute.ComputeScope)
@@ -72,3 +75,20 @@ func GetEnvOrSkip(c *check.C, varName string) string {
 	}
 	return v
 }
+
+func s3ProfileWithSecretCredential(location crv1alpha1.Location, accessKeyID, secretAccessKey, sessionToken string) *param.Profile {
+	return &param.Profile{
+		Location: location,
+		Credential: param.Credential{
+			Type: param.CredentialTypeSecret,
+			Secret: &v1.Secret{
+				Type: "secrets.kanister.io/aws",
+				Data: map[string][]byte{
+					"access_key_id":     []byte(accessKeyID),
+					"secret_access_key": []byte(secretAccessKey),
+					"session_token":     []byte(sessionToken),
+				},
+			},
+		},
+	}
+}