fix get aws creds from environment (#3617)

Signed-off-by: Fabian Martinez <46371672+famarting@users.noreply.github.com>
2024-11-28 16:57:18 +01:00 · 2024-11-28 16:57:18 +01:00 · 1e095ed25a
parent f48b4128d6
commit 1e095ed25a
4 changed files with 47 additions and 25 deletions
--- a/common/authentication/aws/aws.go
+++ b/common/authentication/aws/aws.go
@ -112,13 +112,6 @@ type Provider interface {
 	Close() error
 }

-func isX509Auth(m map[string]string) bool {
-	tp, _ := m["trustProfileArn"]
-	ta, _ := m["trustAnchorArn"]
-	ar, _ := m["assumeRoleArn"]
-	return tp != "" && ta != "" && ar != ""
-}
-
 func NewProvider(ctx context.Context, opts Options, cfg *aws.Config) (Provider, error) {
 	if isX509Auth(opts.Properties) {
 		return newX509(ctx, opts, cfg)
--- a/common/authentication/aws/static.go
+++ b/common/authentication/aws/static.go
@ -38,10 +38,10 @@ type StaticAuth struct {
 	endpoint     *string
 	accessKey    *string
 	secretKey    *string
-	sessionToken *string
+	sessionToken string

 	assumeRoleARN *string
-	sessionName   *string
+	sessionName   string

 	session *session.Session
 	cfg     *aws.Config
@ -50,15 +50,7 @@ type StaticAuth struct {

 func newStaticIAM(_ context.Context, opts Options, cfg *aws.Config) (*StaticAuth, error) {
 	auth := &StaticAuth{
-		logger:        opts.Logger,
-		region:        &opts.Region,
-		endpoint:      &opts.Endpoint,
-		accessKey:     &opts.AccessKey,
-		secretKey:     &opts.SecretKey,
-		sessionToken:  &opts.SessionToken,
-		assumeRoleARN: &opts.AssumeRoleARN,
-		sessionName:   &opts.SessionName,
-
+		logger: opts.Logger,
 		cfg: func() *aws.Config {
 			// if nil is passed or it's just a default cfg,
 			// then we use the options to build the aws cfg.
@ -70,7 +62,29 @@ func newStaticIAM(_ context.Context, opts Options, cfg *aws.Config) (*StaticAuth
 		clients: newClients(),
 	}

-	initialSession, err := auth.getTokenClient()
+	if opts.Region != "" {
+		auth.region = &opts.Region
+	}
+	if opts.Endpoint != "" {
+		auth.endpoint = &opts.Endpoint
+	}
+	if opts.AccessKey != "" {
+		auth.accessKey = &opts.AccessKey
+	}
+	if opts.SecretKey != "" {
+		auth.secretKey = &opts.SecretKey
+	}
+	if opts.SessionToken != "" {
+		auth.sessionToken = opts.SessionToken
+	}
+	if opts.AssumeRoleARN != "" {
+		auth.assumeRoleARN = &opts.AssumeRoleARN
+	}
+	if opts.SessionName != "" {
+		auth.sessionName = opts.SessionName
+	}
+
+	initialSession, err := auth.createSession()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get token client: %v", err)
 	}
@ -231,8 +245,8 @@ func (a *StaticAuth) Kafka(opts KafkaOptions) (*KafkaClients, error) {
 	if a.assumeRoleARN != nil {
 		tokenProvider.awsIamRoleArn = *a.assumeRoleARN
 	}
-	if a.sessionName != nil {
-		tokenProvider.awsStsSessionName = *a.sessionName
+	if a.sessionName != "" {
+		tokenProvider.awsStsSessionName = a.sessionName
 	}

 	err := a.clients.kafka.New(a.session, &tokenProvider)
@ -243,7 +257,7 @@ func (a *StaticAuth) Kafka(opts KafkaOptions) (*KafkaClients, error) {
 	return a.clients.kafka, nil
 }

-func (a *StaticAuth) getTokenClient() (*session.Session, error) {
+func (a *StaticAuth) createSession() (*session.Session, error) {
 	var awsConfig *aws.Config
 	if a.cfg == nil {
 		awsConfig = aws.NewConfig()
@ -257,13 +271,15 @@ func (a *StaticAuth) getTokenClient() (*session.Session, error) {

 	if a.accessKey != nil && a.secretKey != nil {
 		// session token is an option field
-		awsConfig = awsConfig.WithCredentials(credentials.NewStaticCredentials(*a.accessKey, *a.secretKey, *a.sessionToken))
+		awsConfig = awsConfig.WithCredentials(credentials.NewStaticCredentials(*a.accessKey, *a.secretKey, a.sessionToken))
 	}

 	if a.endpoint != nil {
 		awsConfig = awsConfig.WithEndpoint(*a.endpoint)
 	}

+	// TODO support assume role for all aws components
+
 	awsSession, err := session.NewSessionWithOptions(session.Options{
 		Config:            *awsConfig,
 		SharedConfigState: session.SharedConfigEnable,
--- a/common/authentication/aws/static_test.go
+++ b/common/authentication/aws/static_test.go
@ -48,16 +48,22 @@ func TestGetTokenClient(t *testing.T) {
 			awsInstance: &StaticAuth{
 				accessKey:    aws.String("testAccessKey"),
 				secretKey:    aws.String("testSecretKey"),
-				sessionToken: aws.String("testSessionToken"),
+				sessionToken: "testSessionToken",
 				region:       aws.String("us-west-2"),
 				endpoint:     aws.String("https://test.endpoint.com"),
 			},
 		},
+		{
+			name: "creds from environment",
+			awsInstance: &StaticAuth{
+				region: aws.String("us-west-2"),
+			},
+		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			session, err := tt.awsInstance.getTokenClient()
+			session, err := tt.awsInstance.createSession()
 			require.NotNil(t, session)
 			require.NoError(t, err)
 			assert.Equal(t, tt.awsInstance.region, session.Config.Region)
--- a/common/authentication/aws/x509.go
+++ b/common/authentication/aws/x509.go
@ -41,6 +41,13 @@ import (
 	"github.com/dapr/kit/ptr"
 )

+func isX509Auth(m map[string]string) bool {
+	tp := m["trustProfileArn"]
+	ta := m["trustAnchorArn"]
+	ar := m["assumeRoleArn"]
+	return tp != "" && ta != "" && ar != ""
+}
+
 type x509Options struct {
 	TrustProfileArn *string `json:"trustProfileArn" mapstructure:"trustProfileArn"`
 	TrustAnchorArn  *string `json:"trustAnchorArn" mapstructure:"trustAnchorArn"`