Skip to content

Commit

Permalink
Default STS region to global for WebIdentity
Browse files Browse the repository at this point in the history
Updates the STS client region for WebIdentity role assumption to fall
back to global if no region is provided for the managed resource being
reconciled. This matches the existing behavior in the STS client
construction for assuming a role via chaining.

Signed-off-by: hasheddan <[email protected]>
  • Loading branch information
hasheddan committed Mar 7, 2023
1 parent eeaec8b commit 94b7746
Showing 1 changed file with 12 additions and 7 deletions.
19 changes: 12 additions & 7 deletions internal/clients/provider_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,16 @@ func CredentialsIDSecret(data []byte, profile string) (aws.Credentials, error) {
// AuthMethod is a method of authenticating to the AWS API
type AuthMethod func(context.Context, []byte, string, string) (*aws.Config, error)

// stsRegionOrDefault sets the STS client region to the passed region, or
// defaults to the global region.
func stsRegionOrDefault(region string) func(*sts.Options) {
return func(o *sts.Options) {
if region == "" {
o.Region = GlobalRegion
}
}
}

// UseProviderSecret - AWS configuration which can be used to issue requests against AWS API
func UseProviderSecret(ctx context.Context, data []byte, profile, region string) (*aws.Config, error) {
creds, err := CredentialsIDSecret(data, profile)
Expand All @@ -264,14 +274,9 @@ func UseProviderSecret(ctx context.Context, data []byte, profile, region string)
// AssumeRoleWithWebIdentity & AssumeRoles.
func GetRoleChainConfig(ctx context.Context, pcs *v1beta1.ProviderConfigSpec, cfg *aws.Config) (*aws.Config, error) {
pCfg := cfg
regionOpt := func(o *sts.Options) {
if cfg.Region == "" {
o.Region = GlobalRegion
}
}
for _, aro := range pcs.AssumeRoleChain {
stsAssume := stscreds.NewAssumeRoleProvider(
sts.NewFromConfig(*pCfg, regionOpt), //nolint:contextcheck
sts.NewFromConfig(*pCfg, stsRegionOrDefault(cfg.Region)), //nolint:contextcheck
aws.ToString(aro.RoleARN),
SetAssumeRoleOptions(aro),
)
Expand All @@ -292,7 +297,7 @@ func GetRoleChainConfig(ctx context.Context, pcs *v1beta1.ProviderConfigSpec, cf
// GetAssumeRoleWithWebIdentityConfig returns an aws.Config capable of doing
// AssumeRoleWithWebIdentity.
func GetAssumeRoleWithWebIdentityConfig(ctx context.Context, cfg *aws.Config, webID v1beta1.AssumeRoleWithWebIdentityOptions, tokenFile string) (*aws.Config, error) {
stsclient := sts.NewFromConfig(*cfg) //nolint:contextcheck
stsclient := sts.NewFromConfig(*cfg, stsRegionOrDefault(cfg.Region)) //nolint:contextcheck
awsConfig, err := config.LoadDefaultConfig(
ctx,
userAgentV2,
Expand Down

0 comments on commit 94b7746

Please sign in to comment.