Extract AWS credentials from secret

[hakanmemisoglu]

Change Overview

Extract AWS credentials from AWS typed secret.

• Validate AWS credential secret.
• Extract required awsAccessKeyID and awsSecretAccessKey fields from the secret.
• Extract optional awsSessionToken from the field.

Pull request type

Please check the type of change your PR introduces:

• Work in Progress
• Refactoring (no functional changes, no api changes)
• Trivial/Minor
• Bugfix
• Feature
• Documentation

Test Plan

• Manual
• Unit test
• E2E

[tdmanv]

Looks good!

[julio-lopez]

Why not use the same values that the AWS SDK and CLI use? That's what mot people would expect these (environment) variables to be named, and thus to be the corresponding keys in the secret

[hakanmemisoglu]

@tdmanv suggested we are using camel case with secret data fields in Kanister.

[tdmanv]

I think I said lowercase. The field names I've seen elsewhere in our code are:

    access_key_id: XXX
    secret_access_key: XXX

[julio-lopez]

@tdmanv lower case is "surprising", what's the rationale for it?
With the given key names, it would not be possible to directly export all key-value pairs in a secret as environment variables.

[tdmanv]

[minor] do these need to be exported?

[hakanmemisoglu]

Not needed right now. However I think some Kanister package sure can use this value to validate their own input.

[julio-lopez]

This check seems too restrictive in the sense that it should be possible to easily extend the usage of these secrets by adding other fields without having to go and explicitly modify code that uses these secrets. In particular, this is not forward compatible. That is, in the future we decide to include other fields, suppose the role or some other metadata instead of the token, (a) it would require validation changes to allow the new definition and (b) older versions of the code would break when encountering the new types of secrets.