Skip to content

Commit

Permalink
Ishtiaq bhai told to removed credential provider chain for pod identity
Browse files Browse the repository at this point in the history 
Signed-off-by: Anisur Rahman <anisur@appscode.com>
  • Loading branch information
@anisurrahman75
anisurrahman75 committed Dec 18, 2024
1 parent 8f481a8 commit 3d7a545
Showing 1 changed file with 22 additions and 43 deletions.
65 changes: 22 additions & 43 deletions pkg/blob/blob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,7 @@ import (
"strings"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"gocloud.dev/blob"
_ "gocloud.dev/blob/azureblob"
_ "gocloud.dev/blob/fileblob"
Expand Down Expand Up @@ -63,8 +58,6 @@ const (
caCertData = "CA_CERT_DATA"
awsAccessKeyId = "AWS_ACCESS_KEY_ID"
awsSecretAccessKey = "AWS_SECRET_ACCESS_KEY"
awsRoleArn = "AWS_ROLE_ARN"
awsWebIdentityTokenFile = "AWS_WEB_IDENTITY_TOKEN_FILE"
)

type Blob struct {
Expand Down Expand Up @@ -203,6 +196,25 @@ func setAzureCredentialsToEnv(secret *v1.Secret) error {
return nil
}

func setS3CredentialsToEnv(secret *v1.Secret) error {
if val, ok := secret.Data[awsAccessKeyId]; !ok {
return fmt.Errorf("storage secret missing %s key", awsAccessKeyId)
} else {
if err := os.Setenv(awsAccessKeyId, string(val)); err != nil {
return err
}
}

if val, ok := secret.Data[awsSecretAccessKey]; !ok {
return fmt.Errorf("storage secret missing %s key", awsSecretAccessKey)
} else {
if err := os.Setenv(awsSecretAccessKey, string(val)); err != nil {
return err
}
}
return nil
}

func writeDataIntoFile(filePath string, val []byte) error {
dir, _ := path.Split(filePath)
if _, err := os.Stat(dir); os.IsNotExist(err) {
Expand Down Expand Up @@ -422,51 +434,18 @@ func closeBucket(ctx context.Context, bucket *blob.Bucket) {
}

func (b *Blob) getS3Session() (*session.Session, error) {
var providers []credentials.Provider

// if static credential is provided, use that
if b.backupStorage.Spec.Storage.S3.SecretName != "" {
id, ok := b.s3Secret.Data[awsAccessKeyId]
if !ok {
return nil, fmt.Errorf("storage secret %s/%s missing %s key", b.s3Secret.Namespace, b.s3Secret.Name, awsAccessKeyId)
}
key, ok := b.s3Secret.Data[awsSecretAccessKey]
if !ok {
return nil, fmt.Errorf("storage Secret %s/%s missing %s key", b.s3Secret.Namespace, b.s3Secret.Name, awsSecretAccessKey)
}
providers = []credentials.Provider{&credentials.StaticProvider{Value: credentials.Value{
AccessKeyID: string(id),
SecretAccessKey: string(key),
SessionToken: "",
}}}
} else {
providers = []credentials.Provider{
&credentials.EnvProvider{},
&credentials.SharedCredentialsProvider{
Filename: "",
Profile: "",
},
// Required for IRSA
stscreds.NewWebIdentityRoleProviderWithOptions(
sts.New(session.Must(session.NewSession(aws.NewConfig().
WithRegion("us-east-1")))),
os.Getenv(awsRoleArn),
"",
stscreds.FetchTokenPath(os.Getenv(awsWebIdentityTokenFile)),
),
&ec2rolecreds.EC2RoleProvider{
Client: ec2metadata.New(session.Must(session.NewSession(aws.NewConfig().
WithRegion("us-east-1")))),
},
if err := setS3CredentialsToEnv(b.s3Secret); err != nil {
return nil, err
}
}

config := aws.NewConfig().
WithRegion(b.backupStorage.Spec.Storage.S3.Region).
WithCredentialsChainVerboseErrors(true).
WithEndpoint(b.backupStorage.Spec.Storage.S3.Endpoint).
WithS3ForcePathStyle(true).
WithCredentials(credentials.NewChainCredentials(providers))
WithS3ForcePathStyle(true)

if b.backupStorage.Spec.Storage.S3.SecretName != "" {
if caCert := b.s3Secret.Data[caCertData]; len(caCert) > 0 || b.backupStorage.Spec.Storage.S3.InsecureTLS {
Expand Down

0 comments on commit 3d7a545

Please sign in to comment.