Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

imghelper: hoist AWS vars into global environment #340

Merged
merged 1 commit into from
Jul 31, 2024

Conversation

cbgbt
Copy link
Contributor

@cbgbt cbgbt commented Jul 30, 2024

When secure boot signing was refactored in 310cadd, the code that exports AWS credential variables into the global environment was moved into a bash function.

When used in a bash function, the declare keyword makes the declared symbol local, unless the -g option is also supplied. This adds the -g option to export the variables into the caller's environment as intended.

Testing done:
Prior to this change, attempting to build with an AWS secureboot profile resulted in this error:

  10.46 AWS_KMS: Configured slots:
  10.46 AWS_KMS:   arn:aws:kms:us-west-2:REDACTED/shim-sign-key/gen-2023
  10.46 AWS_KMS:   arn:aws:kms:us-west-2:REDACTED/code-sign-key/gen-2023
  10.46 AWS_KMS:   arn:aws:kms:us-west-2:REDACTED/config-sign-key/gen-2023
  10.46 AWS_KMS: Getting public key for key arn:aws:kms:us-west-2:REDACTED/shim-sign-key/gen-2023
  10.46 AWS_KMS: Got error from AWS fetching public key for key id arn:aws:kms:us-west-2:REDACTED/shim-sign-key/gen-2023: User: arn:aws:sts:REDACTED is not authorized to perform: kms:GetPublicKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access
  10.46 AWS_KMS: Getting public key for key arn:aws:kms:us-west-2:REDACTED/code-sign-key/gen-2023
  10.46 AWS_KMS: Got error from AWS fetching public key for key id arn:aws:kms:us-west-2:REDACTED/code-sign-key/gen-2023: User: arn:aws:sts::REDACTED is not authorized to perform: kms:GetPublicKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access
  10.46 AWS_KMS: Getting public key for key arn:aws:kms:us-west-2:REDACTED/config-sign-key/gen-2023
  10.46 AWS_KMS: Got error from AWS fetching public key for key id arn:aws:kms:us-west-2:REDACTED/config-sign-key/gen-2023: User: arn:aws:sts::REDACTED is not authorized to perform: kms:GetPublicKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access

After this change, the build successfully retrieved the needed credentials and completed secureboot signing.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@cbgbt cbgbt requested review from bcressey, jmt-lab and rpkelly July 30, 2024 23:30
When secure boot signing was refactored in 310cadd, the code that
exports AWS credential variables into the global environment was moved
into a bash function.

When used in a bash function, the `declare` keyword makes the declared
symbol local, unless the -g option is also supplied. This adds the -g
option to export the variables into the caller's environment as
intended.
@cbgbt cbgbt merged commit 8f074da into bottlerocket-os:develop Jul 31, 2024
1 check passed
@cbgbt cbgbt deleted the i-do-declare branch July 31, 2024 02:04
@gthao313 gthao313 mentioned this pull request Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants