Skip to content

Commit

Permalink
support sts assume role with s3 release sources
Browse files Browse the repository at this point in the history
Adds an optional "aws_role_arn" property for a release source that
can assume a role in an aws account.

[#185364456](https://www.pivotaltracker.com/story/show/185364456)

Co-authored-by: Andrew Garner <garnera@vmware.com>
Co-authored-by: Kyle Ong <kyleo@vmware.com>
  • Loading branch information
2 people authored and ram-pivot committed Jul 11, 2023
1 parent bbdb333 commit 0c7a55c
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 2 deletions.
11 changes: 10 additions & 1 deletion internal/component/s3_release_source.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/Masterminds/semver/v3"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/aws/aws-sdk-go/service/s3/s3manager"
Expand Down Expand Up @@ -72,12 +73,20 @@ func NewS3ReleaseSourceFromConfig(config cargo.ReleaseSourceConfig, logger *log.
Region: aws.String(config.Region),
Credentials: credentials.NewStaticCredentials(config.AccessKeyId, config.SecretAccessKey, ""),
}

var assumedRoleAwsConfig aws.Config
if config.AwsRoleARN != "" {
stsSession := session.Must(session.NewSession(awsConfig))
roleCredentials := stscreds.NewCredentials(stsSession, config.AwsRoleARN)
assumedRoleAwsConfig.Credentials = roleCredentials
}

if config.Endpoint != "" { // for acceptance testing
awsConfig = awsConfig.WithEndpoint(config.Endpoint)
awsConfig = awsConfig.WithS3ForcePathStyle(true)
}

sess := session.Must(session.NewSession(awsConfig))
sess := session.Must(session.NewSession(awsConfig, &assumedRoleAwsConfig))
client := s3.New(sess)

return NewS3ReleaseSource(
Expand Down
54 changes: 53 additions & 1 deletion pkg/cargo/files_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,58 @@ func TestInterpolateAndParseKilnfile(t *testing.T) {
})
}

func TestInterpolateAndParseKilnfileWithRoleARN(t *testing.T) {
please := NewWithT(t)

const validKilnfileWithRoleARN = `---
release_sources:
- type: s3
compiled: true
bucket: $( variable "bucket" )
region: $( variable "region" )
access_key_id: $( variable "access_key" )
secret_access_key: $( variable "secret_key" )
aws_role_arn: $( variable "role_arn" )
path_template: $( variable "path_template" )
`

variables := map[string]interface{}{
"bucket": "my-bucket",
"region": "middle-earth",
"path_template": "not-used",

"access_key": "id",
"secret_key": "key",
"role_arn": "role-arn",
}

kilnfile, err := cargo.InterpolateAndParseKilnfile(
strings.NewReader(validKilnfileWithRoleARN), variables,
)

please.Expect(err).NotTo(HaveOccurred())

please.Expect(kilnfile).To(Equal(cargo.Kilnfile{
ReleaseSources: []cargo.ReleaseSourceConfig{
{
Type: "s3",
Bucket: "my-bucket",
Region: "middle-earth",
AccessKeyId: "id",
AwsRoleARN: "role-arn",
SecretAccessKey: "key",
PathTemplate: "not-used",
},
},
}))

t.Run("reading fails", func(t *testing.T) {
r := iotest.ErrReader(errors.New("lemon"))
_, err := cargo.InterpolateAndParseKilnfile(r, make(map[string]any))
assert.Error(t, err)
})
}

func TestInterpolateAndParseKilnfile_input_is_not_valid_yaml(t *testing.T) {
please := NewWithT(t)

Expand Down Expand Up @@ -88,7 +140,7 @@ func TestInterpolateAndParseKilnfile_interpolation_variable_not_found(t *testing
strings.NewReader(validKilnfile), variables,
)

please.Expect(err).To(HaveOccurred())
please.Expect(err).To(MatchError(ContainSubstring(`could not find variable with key 'region'`)))
}

const validKilnfile = `---
Expand Down
1 change: 1 addition & 0 deletions pkg/cargo/kilnfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ type ReleaseSourceConfig struct {
Region string `yaml:"region,omitempty"`
AccessKeyId string `yaml:"access_key_id,omitempty"`
SecretAccessKey string `yaml:"secret_access_key,omitempty"`
AwsRoleARN string `yaml:"aws_role_arn,omitempty"`
PathTemplate string `yaml:"path_template,omitempty"`
Endpoint string `yaml:"endpoint,omitempty"`
Org string `yaml:"org,omitempty"`
Expand Down

0 comments on commit 0c7a55c

Please sign in to comment.