Support EKS credentials

zhonghui12 · Oct 1, 2020 · f5ee9a8 · f5ee9a8
1 parent 34502d1
commit f5ee9a8
Showing 1 changed file with 33 additions and 7 deletions.
diff --git a/cloudwatch/cloudwatch.go b/cloudwatch/cloudwatch.go
@@ -15,6 +15,7 @@ package cloudwatch
 
 import (
 	"fmt"
+	"os"
 	"sort"
 	"strings"
 	"time"
@@ -188,32 +189,57 @@ func newCloudWatchLogsClient(config OutputPluginConfig) (*cloudwatchlogs.CloudWa
 		return endpoints.DefaultResolver().EndpointFor(service, region, optFns...)
 	}
 
-	svcConfig := &aws.Config{
+	baseConfig := &aws.Config{
 		Region:                        aws.String(config.Region),
 		EndpointResolver:              endpoints.ResolverFunc(customResolverFn),
 		CredentialsChainVerboseErrors: aws.Bool(true),
 	}
 
 	if config.CredsEndpoint != "" {
-		creds := endpointcreds.NewCredentialsClient(*svcConfig, request.Handlers{}, config.CredsEndpoint,
+		creds := endpointcreds.NewCredentialsClient(*baseConfig, request.Handlers{}, config.CredsEndpoint,
 			func(provider *endpointcreds.Provider) {
 				provider.ExpiryWindow = 5 * time.Minute
 			})
-		svcConfig.Credentials = creds
+		baseConfig.Credentials = creds
 	}
 
-	sess, err := session.NewSession(svcConfig)
+	sess, err := session.NewSession(baseConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	stsConfig := &aws.Config{}
+	var svcSess = sess
+	var svcConfig = baseConfig
+	eksRole := os.Getenv("EKS_POD_EXECUTION_ROLE")
+	if eksRole != "" {
+		logrus.Debugf("Will fetch EKS pod credentials")
+		eksConfig := &aws.Config{}
+		creds := stscreds.NewCredentials(svcSess, eksRole)
+		eksConfig.Credentials = creds
+		eksConfig.Region = aws.String(config.Region)
+		svcConfig = eksConfig
+
+		svcSess, err = session.NewSession(svcConfig)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	if config.RoleARN != "" {
-		creds := stscreds.NewCredentials(sess, config.RoleARN)
+		logrus.Debugf("Will fetch credentials for %s", config.RoleARN)
+		stsConfig := &aws.Config{}
+		creds := stscreds.NewCredentials(svcSess, config.RoleARN)
 		stsConfig.Credentials = creds
+		stsConfig.Region = aws.String(config.Region)
+		svcConfig = stsConfig
+
+		svcSess, err = session.NewSession(svcConfig)
+		if err != nil {
+			return nil, err
+		}
 	}
 
-	client := cloudwatchlogs.New(sess, stsConfig)
+	client := cloudwatchlogs.New(svcSess, svcConfig)
 	client.Handlers.Build.PushBackNamed(plugins.CustomUserAgentHandler())
 	if config.LogFormat != "" {
 		client.Handlers.Build.PushBackNamed(LogFormatHandler(config.LogFormat))