From c8d900a1b24aa4f2cf175869eac9324ca4e35cc6 Mon Sep 17 00:00:00 2001 From: Fabian Martinez <46371672+famarting@users.noreply.github.com> Date: Thu, 28 Nov 2024 13:54:30 +0100 Subject: [PATCH 1/2] fix get aws creds from environment Signed-off-by: Fabian Martinez <46371672+famarting@users.noreply.github.com> --- common/authentication/aws/aws.go | 7 ----- common/authentication/aws/static.go | 38 +++++++++++++++++------- common/authentication/aws/static_test.go | 8 ++++- common/authentication/aws/x509.go | 7 +++++ 4 files changed, 41 insertions(+), 19 deletions(-) diff --git a/common/authentication/aws/aws.go b/common/authentication/aws/aws.go index 0c03731509..e3685d0bd6 100644 --- a/common/authentication/aws/aws.go +++ b/common/authentication/aws/aws.go @@ -112,13 +112,6 @@ type Provider interface { Close() error } -func isX509Auth(m map[string]string) bool { - tp, _ := m["trustProfileArn"] - ta, _ := m["trustAnchorArn"] - ar, _ := m["assumeRoleArn"] - return tp != "" && ta != "" && ar != "" -} - func NewProvider(ctx context.Context, opts Options, cfg *aws.Config) (Provider, error) { if isX509Auth(opts.Properties) { return newX509(ctx, opts, cfg) diff --git a/common/authentication/aws/static.go b/common/authentication/aws/static.go index 1972089fdf..a6a0f7ec3f 100644 --- a/common/authentication/aws/static.go +++ b/common/authentication/aws/static.go @@ -50,15 +50,7 @@ type StaticAuth struct { func newStaticIAM(_ context.Context, opts Options, cfg *aws.Config) (*StaticAuth, error) { auth := &StaticAuth{ - logger: opts.Logger, - region: &opts.Region, - endpoint: &opts.Endpoint, - accessKey: &opts.AccessKey, - secretKey: &opts.SecretKey, - sessionToken: &opts.SessionToken, - assumeRoleARN: &opts.AssumeRoleARN, - sessionName: &opts.SessionName, - + logger: opts.Logger, cfg: func() *aws.Config { // if nil is passed or it's just a default cfg, // then we use the options to build the aws cfg. @@ -70,7 +62,29 @@ func newStaticIAM(_ context.Context, opts Options, cfg *aws.Config) (*StaticAuth clients: newClients(), } - initialSession, err := auth.getTokenClient() + if opts.Region != "" { + auth.region = &opts.Region + } + if opts.Endpoint != "" { + auth.endpoint = &opts.Endpoint + } + if opts.AccessKey != "" { + auth.accessKey = &opts.AccessKey + } + if opts.SecretKey != "" { + auth.secretKey = &opts.SecretKey + } + if opts.SessionToken != "" { + auth.sessionToken = &opts.SessionToken + } + if opts.AssumeRoleARN != "" { + auth.assumeRoleARN = &opts.AssumeRoleARN + } + if opts.SessionName != "" { + auth.sessionName = &opts.SessionName + } + + initialSession, err := auth.createSession() if err != nil { return nil, fmt.Errorf("failed to get token client: %v", err) } @@ -243,7 +257,7 @@ func (a *StaticAuth) Kafka(opts KafkaOptions) (*KafkaClients, error) { return a.clients.kafka, nil } -func (a *StaticAuth) getTokenClient() (*session.Session, error) { +func (a *StaticAuth) createSession() (*session.Session, error) { var awsConfig *aws.Config if a.cfg == nil { awsConfig = aws.NewConfig() @@ -264,6 +278,8 @@ func (a *StaticAuth) getTokenClient() (*session.Session, error) { awsConfig = awsConfig.WithEndpoint(*a.endpoint) } + // TODO support assume role for all aws components + awsSession, err := session.NewSessionWithOptions(session.Options{ Config: *awsConfig, SharedConfigState: session.SharedConfigEnable, diff --git a/common/authentication/aws/static_test.go b/common/authentication/aws/static_test.go index a1a17a093c..12bfe7b280 100644 --- a/common/authentication/aws/static_test.go +++ b/common/authentication/aws/static_test.go @@ -53,11 +53,17 @@ func TestGetTokenClient(t *testing.T) { endpoint: aws.String("https://test.endpoint.com"), }, }, + { + name: "creds from environment", + awsInstance: &StaticAuth{ + region: aws.String("us-west-2"), + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - session, err := tt.awsInstance.getTokenClient() + session, err := tt.awsInstance.createSession() require.NotNil(t, session) require.NoError(t, err) assert.Equal(t, tt.awsInstance.region, session.Config.Region) diff --git a/common/authentication/aws/x509.go b/common/authentication/aws/x509.go index 1c6d6dcf0d..c049b97339 100644 --- a/common/authentication/aws/x509.go +++ b/common/authentication/aws/x509.go @@ -41,6 +41,13 @@ import ( "github.com/dapr/kit/ptr" ) +func isX509Auth(m map[string]string) bool { + tp := m["trustProfileArn"] + ta := m["trustAnchorArn"] + ar := m["assumeRoleArn"] + return tp != "" && ta != "" && ar != "" +} + type x509Options struct { TrustProfileArn *string `json:"trustProfileArn" mapstructure:"trustProfileArn"` TrustAnchorArn *string `json:"trustAnchorArn" mapstructure:"trustAnchorArn"` From 9b129036d5a5c67999c2a0306813222ddc13206d Mon Sep 17 00:00:00 2001 From: Fabian Martinez <46371672+famarting@users.noreply.github.com> Date: Thu, 28 Nov 2024 16:03:33 +0100 Subject: [PATCH 2/2] fix nil session token Signed-off-by: Fabian Martinez <46371672+famarting@users.noreply.github.com> --- common/authentication/aws/static.go | 14 +++++++------- common/authentication/aws/static_test.go | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/common/authentication/aws/static.go b/common/authentication/aws/static.go index a6a0f7ec3f..1a6ea73b0c 100644 --- a/common/authentication/aws/static.go +++ b/common/authentication/aws/static.go @@ -38,10 +38,10 @@ type StaticAuth struct { endpoint *string accessKey *string secretKey *string - sessionToken *string + sessionToken string assumeRoleARN *string - sessionName *string + sessionName string session *session.Session cfg *aws.Config @@ -75,13 +75,13 @@ func newStaticIAM(_ context.Context, opts Options, cfg *aws.Config) (*StaticAuth auth.secretKey = &opts.SecretKey } if opts.SessionToken != "" { - auth.sessionToken = &opts.SessionToken + auth.sessionToken = opts.SessionToken } if opts.AssumeRoleARN != "" { auth.assumeRoleARN = &opts.AssumeRoleARN } if opts.SessionName != "" { - auth.sessionName = &opts.SessionName + auth.sessionName = opts.SessionName } initialSession, err := auth.createSession() @@ -245,8 +245,8 @@ func (a *StaticAuth) Kafka(opts KafkaOptions) (*KafkaClients, error) { if a.assumeRoleARN != nil { tokenProvider.awsIamRoleArn = *a.assumeRoleARN } - if a.sessionName != nil { - tokenProvider.awsStsSessionName = *a.sessionName + if a.sessionName != "" { + tokenProvider.awsStsSessionName = a.sessionName } err := a.clients.kafka.New(a.session, &tokenProvider) @@ -271,7 +271,7 @@ func (a *StaticAuth) createSession() (*session.Session, error) { if a.accessKey != nil && a.secretKey != nil { // session token is an option field - awsConfig = awsConfig.WithCredentials(credentials.NewStaticCredentials(*a.accessKey, *a.secretKey, *a.sessionToken)) + awsConfig = awsConfig.WithCredentials(credentials.NewStaticCredentials(*a.accessKey, *a.secretKey, a.sessionToken)) } if a.endpoint != nil { diff --git a/common/authentication/aws/static_test.go b/common/authentication/aws/static_test.go index 12bfe7b280..8ceb5639e4 100644 --- a/common/authentication/aws/static_test.go +++ b/common/authentication/aws/static_test.go @@ -48,7 +48,7 @@ func TestGetTokenClient(t *testing.T) { awsInstance: &StaticAuth{ accessKey: aws.String("testAccessKey"), secretKey: aws.String("testSecretKey"), - sessionToken: aws.String("testSessionToken"), + sessionToken: "testSessionToken", region: aws.String("us-west-2"), endpoint: aws.String("https://test.endpoint.com"), },