Release 1.11.0

CHANGELOG.md

@@ -1,5 +1,18 @@
 # CHANGELOG
 
+## 1.11.0
+
+### Content
+
+#### Features
+
+* Trusted Profile Authentication Support for Compute Resources.
+
+#### Defect Fixes
+
+* Update dependencies
+* Support for Golang 1.22.0
+
 ## 1.10.3
 
 ### Content

aws/credentials/ibmiam/common.go

@@ -125,15 +125,10 @@ func (p *Provider) Retrieve() (credentials.Value, error) {
  var returnErr error
  if p.logLevel.Matches(aws.LogDebug) {
  p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, "ERROR ON GET", err)
- returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", err)
- } else {
- returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", nil)
  }
+ returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", err)
  return credentials.Value{}, returnErr
  }
- if p.logLevel.Matches(aws.LogDebug) {
- p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, "GET TOKEN", tokenValue)
- }
 
  return credentials.Value{Token: *tokenValue, ProviderName: p.providerName, ProviderType: p.providerType,
  ServiceInstanceID: p.serviceInstanceID}, nil

aws/credentials/ibmiam/env_provider_trusted_profile.go

@@ -0,0 +1,36 @@
+package ibmiam
+
+import (
+ "os"
+
+ "github.com/IBM/ibm-cos-sdk-go/aws"
+ "github.com/IBM/ibm-cos-sdk-go/aws/credentials"
+)
+
+// EnvProviderName name of the IBM IAM provider that loads IAM trusted profile
+// credentials from environment variables
+const EnvProviderTrustedProfileName = "EnvProviderTrustedProfileIBM"
+
+// NewEnvProvider constructor of the IBM IAM provider that loads IAM trusted profile
+// credentials from environment variables
+// Parameter:
+//
+// AWS Config
+//
+// Returns:
+//
+// A new provider with AWS config, Trusted Profile ID, CR token file path, IBM IAM Authentication Server Endpoint and
+// Service Instance ID
+func NewEnvProviderTrustedProfile(config *aws.Config) *TrustedProfileProvider {
+ trustedProfileID := os.Getenv("TRUSTED_PROFILE_ID")
+ serviceInstanceID := os.Getenv("IBM_SERVICE_INSTANCE_ID")
+ crTokenFilePath := os.Getenv("CR_TOKEN_FILE_PATH")
+ authEndPoint := os.Getenv("IBM_AUTH_ENDPOINT")
+
+ return NewTrustedProfileProvider(EnvProviderTrustedProfileName, config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID, "CR")
+}
+
+// NewEnvCredentials Constructor
+func NewEnvCredentialsTrustedProfile(config *aws.Config) *credentials.Credentials {
+ return credentials.NewCredentials(NewEnvProviderTrustedProfile(config))
+}

aws/credentials/ibmiam/iamcreds_file_utils.go

@@ -0,0 +1,25 @@
+package ibmiam
+
+import (
+ "os"
+
+ "github.com/IBM/ibm-cos-sdk-go/aws/awserr"
+)
+
+// Helper function to check whether both api-key and trusted-profile-id are set
+// in environment variables.
+//
+// Returns:
+//
+// Error if both apiKey and trustedProfileID are set, nil if only either of them is set.
+func CheckForConflictingIamCredentials() error {
+ apiKey := os.Getenv("IBM_API_KEY_ID")
+ trustedProfileID := os.Getenv("TRUSTED_PROFILE_ID")
+
+ if apiKey != "" && trustedProfileID != "" {
+ return awserr.New("InvalidCredentials",
+ `only one of ApiKey or TrustedProfileID should be set, not both`,
+ nil)
+ }
+ return nil
+}

aws/credentials/ibmiam/trusted_profile.go

@@ -0,0 +1,158 @@
+package ibmiam
+
+import (
+ "github.com/IBM/go-sdk-core/v5/core"
+ "github.com/IBM/ibm-cos-sdk-go/aws"
+ "github.com/IBM/ibm-cos-sdk-go/aws/awserr"
+ "github.com/IBM/ibm-cos-sdk-go/aws/credentials"
+ "github.com/IBM/ibm-cos-sdk-go/aws/credentials/ibmiam/token"
+)
+
+// Provider Struct
+type TrustedProfileProvider struct {
+ // Name of Provider
+ providerName string
+
+ // Type of Provider - SharedCred, SharedConfig, etc.
+ providerType string
+
+ // Authenticator instance, will be assigned dynamically
+ authenticator core.Authenticator
+
+ // Service Instance ID passes in a provider
+ serviceInstanceID string
+
+ // Error
+ ErrorStatus error
+
+ // Logger attributes
+ logger aws.Logger
+ logLevel *aws.LogLevelType
+}
+
+// NewTrustedProfileProvider allows the creation of a custom IBM IAM Trusted Profile Provider
+// Parameters:
+//
+// Provider Name
+// AWS Config
+// Trusted Profile ID
+// CR token file path
+// IBM IAM Authentication Server Endpoint
+// Service Instance ID
+// Resource type
+//
+// Returns:
+//
+// TrustedProfileProvider
+func NewTrustedProfileProvider(providerName string, config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string,
+ serviceInstanceID string, resourceType string) (provider *TrustedProfileProvider) {
+ provider = new(TrustedProfileProvider)
+
+ provider.providerName = providerName
+ provider.providerType = "oauth"
+
+ logLevel := aws.LogLevel(aws.LogOff)
+ if config != nil && config.LogLevel != nil && config.Logger != nil {
+ logLevel = config.LogLevel
+ provider.logger = config.Logger
+ }
+ provider.logLevel = logLevel
+
+ if crTokenFilePath == "" {
+ provider.ErrorStatus = awserr.New("crTokenFilePathNotFound", "CR Token file path not found", nil)
+ if provider.logLevel.Matches(aws.LogDebug) {
+ provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus)
+ }
+ return
+ }
+
+ if trustedProfileID == "" {
+ provider.ErrorStatus = awserr.New("trustedProfileIDNotFound", "Trusted profile id not found", nil)
+ if provider.logLevel.Matches(aws.LogDebug) {
+ provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus)
+ }
+ return
+ }
+
+ provider.serviceInstanceID = serviceInstanceID
+
+ if authEndPoint == "" {
+ authEndPoint = defaultAuthEndPoint
+ if provider.logLevel.Matches(aws.LogDebug) {
+ provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", "using default auth endpoint", authEndPoint)
+ }
+ }
+
+ // This authenticator is dynamically initialized based on the resourceType parameter.
+ // Since only cr-token based resources is supported now, it is initialized directly.
+ // when other resources are supported, the authenticator should be initialized accordingly.
+ authenticator, err := core.NewContainerAuthenticatorBuilder().
+ SetCRTokenFilename(crTokenFilePath).
+ SetIAMProfileID(trustedProfileID).
+ SetURL(authEndPoint).
+ SetDisableSSLVerification(true).
+ Build()
+ if err != nil {
+ provider.ErrorStatus = awserr.New("errCreatingAuthenticatorClient", "cannot setup new Authenticator client", err)
+ if provider.logLevel.Matches(aws.LogDebug) {
+ provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus)
+ }
+ return
+ }
+ provider.authenticator = authenticator
+
+ return provider
+}
+
+// IsValid ...
+// Returns:
+//
+// TrustedProfileProvider validation - boolean
+func (p *TrustedProfileProvider) IsValid() bool {
+ return nil == p.ErrorStatus
+}
+
+// Retrieve ...
+// Returns:
+//
+// Credential values
+// Error
+func (p *TrustedProfileProvider) Retrieve() (credentials.Value, error) {
+ if p.ErrorStatus != nil {
+ if p.logLevel.Matches(aws.LogDebug) {
+ p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, p.ErrorStatus)
+ }
+ return credentials.Value{ProviderName: p.providerName}, p.ErrorStatus
+ }
+
+ // The respective resourceTypes's class should be called based on the resourceType parameter.
+ // Since only cr-token based resources is supported now, it is assigned to ContainerAuthenticator
+ // directly. when other resource types are supported, the respective class should be used accordingly.
+ tokenValue, err := p.authenticator.(*core.ContainerAuthenticator).GetToken()
+
+ if err != nil {
+ var returnErr error
+ if p.logLevel.Matches(aws.LogDebug) {
+ p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, "ERROR ON GET", err)
+ }
+ returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", err)
+ return credentials.Value{}, returnErr
+ }
+
+ return credentials.Value{
+ Token: token.Token{
+ AccessToken: tokenValue,
+ TokenType: "Bearer",
+ },
+ ProviderName: p.providerName,
+ ProviderType: p.providerType,
+ ServiceInstanceID: p.serviceInstanceID,
+ }, nil
+}
+
+// IsExpired ...
+//
+// TrustedProfileProvider expired or not - boolean
+func (p *TrustedProfileProvider) IsExpired() bool {
+ return true
+}

aws/credentials/ibmiam/trusted_profile_provider.go

@@ -0,0 +1,31 @@
+package ibmiam
+
+import (
+ "github.com/IBM/ibm-cos-sdk-go/aws"
+ "github.com/IBM/ibm-cos-sdk-go/aws/credentials"
+)
+
+type ResourceType string
+
+// TrustedProfileProviderName name of the IBM IAM provider that uses IAM trusted-profile
+// details passed directly
+const (
+ TrustedProfileProviderName = "TrustedProfileProviderIBM"
+ ResourceComputeResource ResourceType = "CR"
+)
+
+// NewTrustedProfileProviderWithCR constructor of the IBM IAM provider that uses IAM trusted-profile
+// details passed
+// Returns: New TrustedProfileProvider (AWS type)
+func NewTrustedProfileProviderCR(config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string, serviceInstanceID string) *TrustedProfileProvider {
+ // Resource type ResourceComputeResource is passed to identify that this is a CR-token based
+ // resource.
+ return NewTrustedProfileProvider(TrustedProfileProviderName, config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID, string(ResourceComputeResource))
+}
+
+// NewTrustedProfileCredentials constructor for IBM IAM that uses IAM trusted-profile
+// credentials passed
+// Returns: credentials.NewCredentials(newTrustedProfileProvider()) (AWS type)
+func NewTrustedProfileCredentialsCR(config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string, serviceInstanceID string) *credentials.Credentials {
+ return credentials.NewCredentials(NewTrustedProfileProviderCR(config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID))
+}

aws/session/session.go

@@ -553,7 +553,6 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
  // Configure credentials if not already set by the user when creating the
  // Session.
  if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
- // IBM COS SDK Code -- START
  if iBmIamCreds := getIBMIAMCredentials(userCfg); iBmIamCreds != nil {
  cfg.Credentials = iBmIamCreds
  } else {
@@ -601,6 +600,10 @@ func getIBMIAMCredentials(config *aws.Config) *credentials.Credentials {
  return credentials.NewCredentials(provider)
  }
 
+ if provider := ibmiam.NewEnvProviderTrustedProfile(config); provider.IsValid() {
+ return credentials.NewCredentials(provider)
+ }
+
  if provider := ibmiam.NewSharedCredentialsProvider(config, "", ""); provider.IsValid() {
  return credentials.NewCredentials(provider)
  }

aws/version.go

@@ -7,6 +7,6 @@ package aws
 const SDKName = "ibm-cos-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.10.3"
+const SDKVersion = "1.11.0"
 
 // IBM COS SDK Code -- END

go.mod

@@ -1,15 +1,33 @@
 module github.com/IBM/ibm-cos-sdk-go
 
 require (
+ github.com/IBM/go-sdk-core/v5 v5.17.3
  github.com/jmespath/go-jmespath v0.4.0
  github.com/stretchr/testify v1.9.0
- golang.org/x/net v0.24.0
+ golang.org/x/net v0.26.0
 )
 
 require (
+ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
  github.com/davecgh/go-spew v1.1.1 // indirect
+ github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+ github.com/go-openapi/errors v0.21.0 // indirect
+ github.com/go-openapi/strfmt v0.22.1 // indirect
+ github.com/go-playground/locales v0.14.1 // indirect
+ github.com/go-playground/universal-translator v0.18.1 // indirect
+ github.com/go-playground/validator/v10 v10.19.0 // indirect
+ github.com/google/uuid v1.6.0 // indirect
+ github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+ github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+ github.com/leodido/go-urn v1.4.0 // indirect
+ github.com/mitchellh/mapstructure v1.5.0 // indirect
+ github.com/oklog/ulid v1.3.1 // indirect
  github.com/pmezard/go-difflib v1.0.0 // indirect
- golang.org/x/text v0.14.0 // indirect
+ go.mongodb.org/mongo-driver v1.14.0 // indirect
+ golang.org/x/crypto v0.24.0 // indirect
+ golang.org/x/sys v0.21.0 // indirect
+ golang.org/x/text v0.16.0 // indirect
+ gopkg.in/yaml.v2 v2.4.0 // indirect
  gopkg.in/yaml.v3 v3.0.1 // indirect
 )