-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Copy pathaws_common.go
103 lines (87 loc) · 3.31 KB
/
aws_common.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
package scalers
import (
"context"
"errors"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/sts"
)
// ErrAwsNoAccessKey is returned when awsAccessKeyID is missing.
var ErrAwsNoAccessKey = errors.New("awsAccessKeyID not found")
type awsAuthorizationMetadata struct {
awsRoleArn string
awsAccessKeyID string
awsSecretAccessKey string
awsSessionToken string
podIdentityOwner bool
}
type awsConfigMetadata struct {
awsRegion string
awsEndpoint string
awsAuthorization awsAuthorizationMetadata
}
func getAwsConfig(awsRegion string, awsEndpoint string, awsAuthorization awsAuthorizationMetadata) (*aws.Config, error) {
ctx := context.TODO()
metadata := &awsConfigMetadata{
awsRegion: awsRegion,
awsEndpoint: awsEndpoint,
awsAuthorization: awsAuthorization,
}
configOptions := make([]func(*config.LoadOptions) error, 0)
configOptions = append(configOptions, config.WithRegion(metadata.awsRegion))
cfg, err := config.LoadDefaultConfig(ctx, configOptions...)
if err != nil {
return nil, err
}
if !metadata.awsAuthorization.podIdentityOwner {
return &cfg, nil
}
if metadata.awsAuthorization.awsAccessKeyID != "" && metadata.awsAuthorization.awsSecretAccessKey != "" {
staticCredentialsProvider := aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider(metadata.awsAuthorization.awsAccessKeyID, metadata.awsAuthorization.awsSecretAccessKey, ""))
cfg.Credentials = staticCredentialsProvider
}
if metadata.awsAuthorization.awsRoleArn != "" {
stsSvc := sts.NewFromConfig(cfg)
stsCredentialProvider := stscreds.NewAssumeRoleProvider(stsSvc, metadata.awsAuthorization.awsRoleArn, func(options *stscreds.AssumeRoleOptions) {})
cfg.Credentials = aws.NewCredentialsCache(stsCredentialProvider)
}
return &cfg, err
}
func getAwsAuthorization(authParams, metadata, resolvedEnv map[string]string) (awsAuthorizationMetadata, error) {
meta := awsAuthorizationMetadata{}
if metadata["identityOwner"] == "operator" {
meta.podIdentityOwner = false
} else if metadata["identityOwner"] == "" || metadata["identityOwner"] == "pod" {
meta.podIdentityOwner = true
switch {
case authParams["awsRoleArn"] != "":
meta.awsRoleArn = authParams["awsRoleArn"]
case (authParams["awsAccessKeyID"] != "" || authParams["awsAccessKeyId"] != "") && authParams["awsSecretAccessKey"] != "":
meta.awsAccessKeyID = authParams["awsAccessKeyID"]
if meta.awsAccessKeyID == "" {
meta.awsAccessKeyID = authParams["awsAccessKeyId"]
}
meta.awsSecretAccessKey = authParams["awsSecretAccessKey"]
meta.awsSessionToken = authParams["awsSessionToken"]
default:
if metadata["awsAccessKeyID"] != "" {
meta.awsAccessKeyID = metadata["awsAccessKeyID"]
} else if metadata["awsAccessKeyIDFromEnv"] != "" {
meta.awsAccessKeyID = resolvedEnv[metadata["awsAccessKeyIDFromEnv"]]
}
if len(meta.awsAccessKeyID) == 0 {
return meta, ErrAwsNoAccessKey
}
if metadata["awsSecretAccessKeyFromEnv"] != "" {
meta.awsSecretAccessKey = resolvedEnv[metadata["awsSecretAccessKeyFromEnv"]]
}
if len(meta.awsSecretAccessKey) == 0 {
return meta, fmt.Errorf("awsSecretAccessKey not found")
}
}
}
return meta, nil
}