From 94b774687cf1ca19e172e8218165dc4b1ca26a90 Mon Sep 17 00:00:00 2001 From: hasheddan Date: Tue, 7 Mar 2023 08:22:14 -0500 Subject: [PATCH] Default STS region to global for WebIdentity Updates the STS client region for WebIdentity role assumption to fall back to global if no region is provided for the managed resource being reconciled. This matches the existing behavior in the STS client construction for assuming a role via chaining. Signed-off-by: hasheddan --- internal/clients/provider_config.go | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/internal/clients/provider_config.go b/internal/clients/provider_config.go index ad93d41f22..75fd7dc25f 100644 --- a/internal/clients/provider_config.go +++ b/internal/clients/provider_config.go @@ -239,6 +239,16 @@ func CredentialsIDSecret(data []byte, profile string) (aws.Credentials, error) { // AuthMethod is a method of authenticating to the AWS API type AuthMethod func(context.Context, []byte, string, string) (*aws.Config, error) +// stsRegionOrDefault sets the STS client region to the passed region, or +// defaults to the global region. +func stsRegionOrDefault(region string) func(*sts.Options) { + return func(o *sts.Options) { + if region == "" { + o.Region = GlobalRegion + } + } +} + // UseProviderSecret - AWS configuration which can be used to issue requests against AWS API func UseProviderSecret(ctx context.Context, data []byte, profile, region string) (*aws.Config, error) { creds, err := CredentialsIDSecret(data, profile) @@ -264,14 +274,9 @@ func UseProviderSecret(ctx context.Context, data []byte, profile, region string) // AssumeRoleWithWebIdentity & AssumeRoles. func GetRoleChainConfig(ctx context.Context, pcs *v1beta1.ProviderConfigSpec, cfg *aws.Config) (*aws.Config, error) { pCfg := cfg - regionOpt := func(o *sts.Options) { - if cfg.Region == "" { - o.Region = GlobalRegion - } - } for _, aro := range pcs.AssumeRoleChain { stsAssume := stscreds.NewAssumeRoleProvider( - sts.NewFromConfig(*pCfg, regionOpt), //nolint:contextcheck + sts.NewFromConfig(*pCfg, stsRegionOrDefault(cfg.Region)), //nolint:contextcheck aws.ToString(aro.RoleARN), SetAssumeRoleOptions(aro), ) @@ -292,7 +297,7 @@ func GetRoleChainConfig(ctx context.Context, pcs *v1beta1.ProviderConfigSpec, cf // GetAssumeRoleWithWebIdentityConfig returns an aws.Config capable of doing // AssumeRoleWithWebIdentity. func GetAssumeRoleWithWebIdentityConfig(ctx context.Context, cfg *aws.Config, webID v1beta1.AssumeRoleWithWebIdentityOptions, tokenFile string) (*aws.Config, error) { - stsclient := sts.NewFromConfig(*cfg) //nolint:contextcheck + stsclient := sts.NewFromConfig(*cfg, stsRegionOrDefault(cfg.Region)) //nolint:contextcheck awsConfig, err := config.LoadDefaultConfig( ctx, userAgentV2,