-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extract AWS credentials from secret #292
Changes from all commits
66025e0
93c9852
fce0a42
da40ba5
0910caf
f271234
4f6ae77
35b8ebb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
package secrets | ||
|
||
import ( | ||
"github.com/aws/aws-sdk-go/aws/credentials" | ||
"github.com/pkg/errors" | ||
v1 "k8s.io/api/core/v1" | ||
) | ||
|
||
const ( | ||
// AWSSecretType represents the secret type for AWS credentials. | ||
AWSSecretType string = "secrets.kanister.io/aws" | ||
|
||
// AWSAccessKeyID is the key for AWS access key ID. | ||
AWSAccessKeyID string = "access_key_id" | ||
// AWSSecretAccessKey is the key for AWS secret access key. | ||
AWSSecretAccessKey string = "secret_access_key" | ||
// AWSSessionToken is the key for optional AWS session token. | ||
AWSSessionToken string = "session_token" | ||
) | ||
|
||
// ValidateAWSCredentials validates secret has all necessary information | ||
// for AWS credentials. It also checks the secret doesn't have unnnecessary | ||
// information. | ||
// | ||
// Required fields: | ||
// - access_key_id | ||
// - secret_access_key | ||
// | ||
// Optional field: | ||
// - session_token | ||
func ValidateAWSCredentials(secret *v1.Secret) error { | ||
if string(secret.Type) != AWSSecretType { | ||
return errors.New("Secret is not AWS secret") | ||
} | ||
if _, ok := secret.Data[AWSAccessKeyID]; !ok { | ||
return errors.New("awsAccessKeyID is a required field") | ||
} | ||
if _, ok := secret.Data[AWSSecretAccessKey]; !ok { | ||
return errors.New("awsSecretAccessKey is a required field") | ||
} | ||
count := 2 | ||
if _, ok := secret.Data[AWSSessionToken]; ok { | ||
count++ | ||
} | ||
if len(secret.Data) > count { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This check seems too restrictive in the sense that it should be possible to easily extend the usage of these secrets by adding other fields without having to go and explicitly modify code that uses these secrets. In particular, this is not forward compatible. That is, in the future we decide to include other fields, suppose the role or some other metadata instead of the token, (a) it would require validation changes to allow the new definition and (b) older versions of the code would break when encountering the new types of secrets. |
||
return errors.New("Secret has an unknown field") | ||
} | ||
return nil | ||
} | ||
|
||
// ExtractAWSCredentials extracts AWS credential values from the given secret. | ||
// | ||
// Extracted values from the secrets are: | ||
// - access_key_id (required) | ||
// - secret_access_key (required) | ||
// - session_token (optional) | ||
// | ||
// If the type of the secret is not "secret.kanister.io/aws", it returns an error. | ||
// If the required types are not avaialable in the secrets, it returns an errror. | ||
func ExtractAWSCredentials(secret *v1.Secret) (*credentials.Value, error) { | ||
hakanmemisoglu marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if err := ValidateAWSCredentials(secret); err != nil { | ||
return nil, err | ||
} | ||
accessKeyID := secret.Data[AWSAccessKeyID] | ||
secretAccessKey := secret.Data[AWSSecretAccessKey] | ||
sessionToken := secret.Data[AWSSessionToken] | ||
return &credentials.Value{ | ||
AccessKeyID: string(accessKeyID), | ||
SecretAccessKey: string(secretAccessKey), | ||
SessionToken: string(sessionToken), | ||
}, nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
package secrets | ||
|
||
import ( | ||
"github.com/aws/aws-sdk-go/aws/credentials" | ||
. "gopkg.in/check.v1" | ||
v1 "k8s.io/api/core/v1" | ||
) | ||
|
||
type AWSSecretSuite struct{} | ||
|
||
var _ = Suite(&AWSSecretSuite{}) | ||
|
||
func (s *AWSSecretSuite) TestExtractAWSCredentials(c *C) { | ||
tcs := []struct { | ||
secret *v1.Secret | ||
expected *credentials.Value | ||
errChecker Checker | ||
}{ | ||
{ | ||
secret: &v1.Secret{ | ||
Type: v1.SecretType(AWSSecretType), | ||
Data: map[string][]byte{ | ||
AWSAccessKeyID: []byte("key_id"), | ||
AWSSecretAccessKey: []byte("secret_key"), | ||
}, | ||
}, | ||
expected: &credentials.Value{ | ||
AccessKeyID: "key_id", | ||
SecretAccessKey: "secret_key", | ||
}, | ||
errChecker: IsNil, | ||
}, | ||
{ | ||
secret: &v1.Secret{ | ||
Type: v1.SecretType(AWSSecretType), | ||
Data: map[string][]byte{ | ||
AWSAccessKeyID: []byte("key_id"), | ||
AWSSecretAccessKey: []byte("secret_key"), | ||
AWSSessionToken: []byte("session_token"), | ||
}, | ||
}, | ||
expected: &credentials.Value{ | ||
AccessKeyID: "key_id", | ||
SecretAccessKey: "secret_key", | ||
SessionToken: "session_token", | ||
}, | ||
errChecker: IsNil, | ||
}, | ||
{ | ||
secret: &v1.Secret{ | ||
Type: "Opaque", | ||
}, | ||
expected: nil, | ||
errChecker: NotNil, | ||
}, | ||
{ | ||
secret: &v1.Secret{ | ||
Type: v1.SecretType(AWSSecretType), | ||
Data: map[string][]byte{ | ||
AWSSecretAccessKey: []byte("secret_key"), | ||
}, | ||
}, | ||
expected: nil, | ||
errChecker: NotNil, | ||
}, | ||
{ | ||
secret: &v1.Secret{ | ||
Type: v1.SecretType(AWSSecretType), | ||
Data: map[string][]byte{ | ||
AWSAccessKeyID: []byte("key_id"), | ||
}, | ||
}, | ||
expected: nil, | ||
errChecker: NotNil, | ||
}, | ||
{ | ||
secret: &v1.Secret{ | ||
Type: v1.SecretType(AWSSecretType), | ||
Data: map[string][]byte{ | ||
AWSAccessKeyID: []byte("key_id"), | ||
AWSSecretAccessKey: []byte("secret_key"), | ||
"ExtraField": []byte("extra_value"), | ||
}, | ||
}, | ||
expected: nil, | ||
errChecker: NotNil, | ||
}, | ||
} | ||
for _, tc := range tcs { | ||
creds, err := ExtractAWSCredentials(tc.secret) | ||
c.Check(creds, DeepEquals, tc.expected) | ||
c.Check(err, tc.errChecker) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
package secrets | ||
|
||
import ( | ||
"testing" | ||
|
||
. "gopkg.in/check.v1" | ||
) | ||
|
||
func Test(t *testing.T) { TestingT(t) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[minor] do these need to be exported?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not needed right now. However I think some Kanister package sure can use this value to validate their own input.