-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extract AWS credentials from secret #292
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
pkg/secrets/aws.go
Outdated
AWSSecretType string = "secrets.kanister.io/aws" | ||
|
||
// AWSAccessKeyID is the key for AWS access key ID. | ||
AWSAccessKeyID string = "awsAccessKeyID" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use the same values that the AWS SDK and CLI use? That's what mot people would expect these (environment) variables to be named, and thus to be the corresponding keys in the secret
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tdmanv suggested we are using camel case with secret data fields in Kanister.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I said lowercase. The field names I've seen elsewhere in our code are:
access_key_id: XXX
secret_access_key: XXX
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tdmanv lower case is "surprising", what's the rationale for it?
With the given key names, it would not be possible to directly export all key-value pairs in a secret as environment variables.
|
||
const ( | ||
// AWSSecretType represents the secret type for AWS credentials. | ||
AWSSecretType string = "secrets.kanister.io/aws" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[minor] do these need to be exported?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not needed right now. However I think some Kanister package sure can use this value to validate their own input.
if _, ok := secret.Data[AWSSessionToken]; ok { | ||
count++ | ||
} | ||
if len(secret.Data) > count { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check seems too restrictive in the sense that it should be possible to easily extend the usage of these secrets by adding other fields without having to go and explicitly modify code that uses these secrets. In particular, this is not forward compatible. That is, in the future we decide to include other fields, suppose the role or some other metadata instead of the token, (a) it would require validation changes to allow the new definition and (b) older versions of the code would break when encountering the new types of secrets.
Change Overview
Extract AWS credentials from AWS typed secret.
awsAccessKeyID
andawsSecretAccessKey
fields from the secret.awsSessionToken
from the field.Pull request type
Please check the type of change your PR introduces:
Test Plan