AWS: Adding Webidentityprovider (#676)

* Support webidentityprovider auth * Add STS as a provider in chain * Add webidentity iota after chained to avoid breaking --------- Co-authored-by: Dag Wullt <dag@wullt.net>
rwynn · Apr 10, 2023 · ed4923a · ed4923a
1 parent 9d50aff
commit ed4923a
Showing 1 changed file with 34 additions and 17 deletions.
diff --git a/monstache.go b/monstache.go
@@ -34,7 +34,10 @@ import (
 
 	"github.com/BurntSushi/toml"
 	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/defaults"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/coreos/go-systemd/daemon"
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/fsnotify/fsnotify"
@@ -107,6 +110,7 @@ const (
 	awsCredentialStrategyEnv
 	awsCredentialStrategyEndpoint
 	awsCredentialStrategyChained
+	awsWebIdentityStrategy
 )
 
 type deleteStrategy int
@@ -2934,28 +2938,41 @@ func (config *configOptions) NewHTTPClient() (client *http.Client, err error) {
 	}
 	if config.AWSConnect.enabled() {
 		var creds *credentials.Credentials
+		var providers []credentials.Provider
 		if config.AWSConnect.Strategy == awsCredentialStrategyStatic {
 			creds = credentials.NewStaticCredentials(config.AWSConnect.AccessKey, config.AWSConnect.SecretKey, "")
-		} else if config.AWSConnect.Strategy == awsCredentialStrategyFile {
-			creds = credentials.NewCredentials(&credentials.SharedCredentialsProvider{
-				Filename: config.AWSConnect.CredentialsFile,
-				Profile:  config.AWSConnect.Profile,
-			})
-		} else if config.AWSConnect.Strategy == awsCredentialStrategyEnv {
-			creds = credentials.NewCredentials(&credentials.EnvProvider{})
-		} else if config.AWSConnect.Strategy == awsCredentialStrategyEndpoint {
-			creds = credentials.NewCredentials(defaults.RemoteCredProvider(*defaults.Config(), defaults.Handlers()))
-		} else if config.AWSConnect.Strategy == awsCredentialStrategyChained {
-			creds = credentials.NewChainCredentials([]credentials.Provider{
-				&credentials.EnvProvider{},
-				&credentials.SharedCredentialsProvider{
+		} else {
+			if config.AWSConnect.Strategy == awsCredentialStrategyEnv || config.AWSConnect.Strategy == awsCredentialStrategyChained {
+				providers = append(providers, &credentials.EnvProvider{})
+			}
+			if config.AWSConnect.Strategy == awsCredentialStrategyFile || config.AWSConnect.Strategy == awsCredentialStrategyChained {
+				providers = append(providers, &credentials.SharedCredentialsProvider{
 					Filename: config.AWSConnect.CredentialsFile,
 					Profile:  config.AWSConnect.Profile,
-				},
-				defaults.RemoteCredProvider(*defaults.Config(), defaults.Handlers()),
-			})
+				})
+			}
+			if config.AWSConnect.Strategy == awsCredentialStrategyEndpoint || config.AWSConnect.Strategy == awsCredentialStrategyChained {
+				providers = append(providers, defaults.RemoteCredProvider(*defaults.Config(), defaults.Handlers()))
+			}
+			if config.AWSConnect.Strategy == awsWebIdentityStrategy || config.AWSConnect.Strategy == awsCredentialStrategyChained {
+				// Create a new session using the default AWS configuration
+				sess, err := session.NewSession()
+				if err != nil {
+					return nil, err
+				}
+				// Create a new STS client using the session
+				stsClient := sts.New(sess)
+				// Assume the IAM role associated with the pod using STS
+				roleProvider := stscreds.NewWebIdentityRoleProviderWithOptions(
+					stsClient,
+					os.Getenv("AWS_ROLE_ARN"),
+					"monstache",
+					stscreds.FetchTokenPath(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")),
+				)
+				providers = append(providers, roleProvider)
+			}
 		}
-		config.AWSConnect.creds = creds
+		config.AWSConnect.creds = credentials.NewChainCredentials(providers)
 		client = aws.NewV4SigningClientWithHTTPClient(creds, config.AWSConnect.Region, client)
 	}
 	return client, err