From 840181625950d64456b07301e651e778c0ebc950 Mon Sep 17 00:00:00 2001
From: Frederick Kautz <fkautz@alumni.cmu.edu>
Date: Sat, 16 Dec 2023 13:24:29 -0800
Subject: [PATCH] feat: Adding IAM credential type for AWS

Signed-off-by: Frederick Kautz <fkautz@alumni.cmu.edu>
---
 cmd/archivista/main.go                    | 12 ++++++++++--
 compose-dev.yml                           |  1 +
 compose.yml                               |  1 +
 internal/config/config.go                 |  1 +
 internal/objectstorage/blobstore/minio.go |  4 ++--
 5 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/cmd/archivista/main.go b/cmd/archivista/main.go
index 4e6942cf..2c75cf1d 100644
--- a/cmd/archivista/main.go
+++ b/cmd/archivista/main.go
@@ -42,6 +42,7 @@ import (
 	"github.com/in-toto/archivista/internal/objectstorage/blobstore"
 	"github.com/in-toto/archivista/internal/objectstorage/filestore"
 	"github.com/in-toto/archivista/internal/server"
+	"github.com/minio/minio-go/pkg/credentials"
 	"github.com/sirupsen/logrus"
 )
 
@@ -166,11 +167,18 @@ func initObjectStore(ctx context.Context, cfg *config.Config) (server.StorerGett
 		return filestore.New(ctx, cfg.FileDir, cfg.FileServeOn)
 
 	case "BLOB":
+		var creds *credentials.Credentials
+		if cfg.BlobStoreCredentialType == "IAM" {
+			creds = credentials.NewIAM("")
+		} else if cfg.BlobStoreCredentialType == "ACCESS_KEY" {
+			creds = credentials.NewStaticV4(cfg.BlobStoreAccessKeyId, cfg.BlobStoreSecretAccessKeyId, "")
+		} else {
+			logrus.Fatalln("invalid blob store credential type: ", cfg.BlobStoreCredentialType)
+		}
 		return blobstore.New(
 			ctx,
 			cfg.BlobStoreEndpoint,
-			cfg.BlobStoreAccessKeyId,
-			cfg.BlobStoreSecretAccessKeyId,
+			creds,
 			cfg.BlobStoreBucketName,
 			cfg.BlobStoreUseTLS,
 		)
diff --git a/compose-dev.yml b/compose-dev.yml
index b334309b..330c8445 100644
--- a/compose-dev.yml
+++ b/compose-dev.yml
@@ -39,6 +39,7 @@ services:
       ARCHIVISTA_FILE_DIR: /tmp/archivista/
       ARCHIVISTA_FILE_SERVE_ON: :8081
       ARCHIVISTA_BLOB_STORE_USE_TLS: "false"
+      ARCHIVISTA_BLOB_STORE_CREDENTIAL_TYPE: ACCESS_KEY
       ARCHIVISTA_BLOB_STORE_ACCESS_KEY_ID: testifytestifytestify
       ARCHIVISTA_BLOB_STORE_SECRET_ACCESS_KEY_ID: exampleexampleexample
       ARCHIVISTA_BLOB_STORE_BUCKET_NAME: attestations
diff --git a/compose.yml b/compose.yml
index 04b5491d..54e508e3 100644
--- a/compose.yml
+++ b/compose.yml
@@ -37,6 +37,7 @@ services:
       ARCHIVISTA_FILE_DIR: /tmp/archivista/
       ARCHIVISTA_FILE_SERVE_ON: :8081
       ARCHIVISTA_BLOB_STORE_USE_TLS: "false"
+      ARCHIVISTA_BLOB_STORE_CREDENTIAL_TYPE: ACCESS_KEY
       ARCHIVISTA_BLOB_STORE_ACCESS_KEY_ID: testifytestifytestify
       ARCHIVISTA_BLOB_STORE_SECRET_ACCESS_KEY_ID: exampleexampleexample
       ARCHIVISTA_BLOB_STORE_BUCKET_NAME: attestations
diff --git a/internal/config/config.go b/internal/config/config.go
index cf0e907a..bbdc3ae9 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -43,6 +43,7 @@ type Config struct {
 	FileServeOn                string `default:"" desc:"What address to serve files on. Only valid when using FILE storage backend." split_words:"true"`
 	FileDir                    string `default:"/tmp/archivista/" desc:"Directory to store and serve files. Only valid when using FILE storage backend." split_words:"true"`
 	BlobStoreEndpoint          string `default:"127.0.0.1:9000" desc:"URL endpoint for blob storage. Only valid when using BLOB storage backend." split_words:"true"`
+	BlobStoreCredentialType    string `default:"ACCESS_KEY" desc:"Blob store credential type. Options are IAM or ACCESS_KEY" split_words:"true"`
 	BlobStoreAccessKeyId       string `default:"" desc:"Blob store access key id. Only valid when using BLOB storage backend." split_words:"true"`
 	BlobStoreSecretAccessKeyId string `default:"" desc:"Blob store secret access key id. Only valid when using BLOB storage backend." split_words:"true"`
 	BlobStoreUseTLS            bool   `default:"TRUE" desc:"Use TLS for BLOB storage backend. Only valid when using BLOB storage backend." split_words:"true"`
diff --git a/internal/objectstorage/blobstore/minio.go b/internal/objectstorage/blobstore/minio.go
index d4d1e5f5..84579d6a 100644
--- a/internal/objectstorage/blobstore/minio.go
+++ b/internal/objectstorage/blobstore/minio.go
@@ -44,7 +44,7 @@ func (store *Store) PutBlob(idx string, obj []byte) error {
 }
 
 // New returns a reader/writer for storing/retrieving attestations
-func New(ctx context.Context, endpoint, accessKeyId, secretAccessKeyId, bucketName string, useTLS bool) (*Store, <-chan error, error) {
+func New(ctx context.Context, endpoint string, creds *credentials.Credentials, bucketName string, useTLS bool) (*Store, <-chan error, error) {
 	errCh := make(chan error)
 	go func() {
 		<-ctx.Done()
@@ -52,7 +52,7 @@ func New(ctx context.Context, endpoint, accessKeyId, secretAccessKeyId, bucketNa
 	}()
 
 	c, err := minio.NewWithOptions(endpoint, &minio.Options{
-		Creds:  credentials.NewStaticV4(accessKeyId, secretAccessKeyId, ""),
+		Creds:  creds,
 		Secure: useTLS,
 	})
 	if err != nil {