@@ -29,6 +29,7 @@ type Plugin struct {
2929 AssumeRoleSessionName string
3030 Bucket string
3131 UserRoleArn string
32+ UserRoleExternalID string
3233
3334 // if not "", enable server-side encryption
3435 // valid values are:
@@ -99,7 +100,7 @@ type Plugin struct {
99100 // set externalID for assume role
100101 ExternalID string
101102
102- // set OIDC ID Token to retrieve temporary credentials
103+ // set OIDC ID Token to retrieve temporary credentials
103104 IdToken string
104105}
105106
@@ -280,7 +281,8 @@ func matchExtension(match string, stringMap map[string]string) string {
280281 return ""
281282}
282283
283- func assumeRole (sess * session.Session , roleArn , roleSessionName , externalID string ) * credentials.Credentials {
284+ func assumeRole (roleArn , roleSessionName , externalID string ) * credentials.Credentials {
285+ sess , _ := session .NewSession ()
284286 client := sts .New (sess )
285287 duration := time .Hour * 1
286288 stsProvider := & stscreds.AssumeRoleProvider {
@@ -433,95 +435,69 @@ func (p *Plugin) downloadS3Objects(client *s3.S3, sourceDir string) error {
433435
434436// createS3Client creates and returns an S3 client based on the plugin configuration
435437func (p * Plugin ) createS3Client () * s3.S3 {
436- conf := & aws.Config {
437- Region : aws .String (p .Region ),
438- Endpoint : & p .Endpoint ,
439- DisableSSL : aws .Bool (strings .HasPrefix (p .Endpoint , "http://" )),
440- S3ForcePathStyle : aws .Bool (p .PathStyle ),
441- }
442-
443- var creds * credentials.Credentials
444- var err error
445-
446- // Set credentials before creating the session
447- if p .Key != "" && p .Secret != "" {
448- // Use static credentials
449- creds = credentials .NewStaticCredentials (p .Key , p .Secret , "" )
450- conf .Credentials = creds
451- } else if p .IdToken != "" && p .AssumeRole != "" {
452- // Assume role with web identity
453- tempSess , err := session .NewSession (conf )
454- if err != nil {
455- log .Fatalf ("failed to create temporary AWS session: %v" , err )
456- }
457-
458- creds , err = assumeRoleWithWebIdentity (tempSess , p .AssumeRole , p .AssumeRoleSessionName , p .IdToken )
459- if err != nil {
460- log .Fatalf ("failed to assume role with web identity: %v" , err )
461- }
462-
463- // Update the credentials in the config
464- conf .Credentials = creds
465- } else if p .AssumeRole != "" {
466- // Standard AssumeRole
467- tempSess , err := session .NewSession (conf )
468- if err != nil {
469- log .Fatalf ("failed to create temporary AWS session: %v" , err )
470- }
471-
472- creds = assumeRole (tempSess , p .AssumeRole , p .AssumeRoleSessionName , p .ExternalID )
473-
474- // Update the credentials in the config
475- conf .Credentials = creds
476- } else {
477- log .Warn ("AWS Key and/or Secret not provided (falling back to EC2 instance profile or environment variables)" )
478- }
479-
480- // Now create the main session with the credentials
481- sess , err := session .NewSession (conf )
482- if err != nil {
483- log .Fatalf ("failed to create AWS session: %v" , err )
484- }
485-
486- // Create the S3 client using the session
487- client := s3 .New (sess )
488-
489- // Only attempt to assume UserRoleArn if it's provided
490- if len (p .UserRoleArn ) > 0 {
491- log .WithFields (log.Fields {
492- "UserRoleArn" : p .UserRoleArn ,
493- }).Info ("Assuming user role ARN" )
494-
495- // Create new credentials by assuming the UserRoleArn
496- creds = stscreds .NewCredentials (sess , p .UserRoleArn )
497-
498- // Create a new session with the new credentials
499- confWithUserRole := & aws.Config {
500- Region : aws .String (p .Region ),
501- Credentials : creds ,
502- }
503-
504- sessWithUserRole , err := session .NewSession (confWithUserRole )
505- if err != nil {
506- log .Fatalf ("failed to create AWS session with user role: %v" , err )
507- }
508-
509- client = s3 .New (sessWithUserRole )
510- }
511-
512- return client
438+ conf := & aws.Config {
439+ Region : aws .String (p .Region ),
440+ Endpoint : & p .Endpoint ,
441+ DisableSSL : aws .Bool (strings .HasPrefix (p .Endpoint , "http://" )),
442+ S3ForcePathStyle : aws .Bool (p .PathStyle ),
443+ }
444+
445+ sess , err := session .NewSession (conf )
446+ if err != nil {
447+ log .Fatalf ("failed to create AWS session: %v" , err )
448+ }
449+
450+ if p .Key != "" && p .Secret != "" {
451+ conf .Credentials = credentials .NewStaticCredentials (p .Key , p .Secret , "" )
452+ } else if p .IdToken != "" && p .AssumeRole != "" {
453+ creds , err := assumeRoleWithWebIdentity (sess , p .AssumeRole , p .AssumeRoleSessionName , p .IdToken )
454+ if err != nil {
455+ log .Fatalf ("failed to assume role with web identity: %v" , err )
456+ }
457+ conf .Credentials = creds
458+ } else if p .AssumeRole != "" {
459+ conf .Credentials = assumeRole (p .AssumeRole , p .AssumeRoleSessionName , p .ExternalID )
460+ } else {
461+ log .Warn ("AWS Key and/or Secret not provided (falling back to ec2 instance profile)" )
462+ }
463+
464+ client := s3 .New (sess , conf )
465+
466+ if len (p .UserRoleArn ) > 0 {
467+ // Create new credentials by assuming the UserRoleArn (with ExternalID when provided)
468+ creds := stscreds .NewCredentials (sess , p .UserRoleArn , func (provider * stscreds.AssumeRoleProvider ) {
469+ if p .UserRoleExternalID != "" {
470+ provider .ExternalID = aws .String (p .UserRoleExternalID )
471+ }
472+ })
473+
474+ // Create a new session with the new credentials
475+ confWithUserRole := & aws.Config {
476+ Region : aws .String (p .Region ),
477+ Credentials : creds ,
478+ }
479+
480+ sessWithUserRole , err := session .NewSession (confWithUserRole )
481+ if err != nil {
482+ log .Fatalf ("failed to create AWS session with user role: %v" , err )
483+ }
484+
485+ client = s3 .New (sessWithUserRole )
486+ }
487+
488+ return client
513489}
514490
515491func assumeRoleWithWebIdentity (sess * session.Session , roleArn , roleSessionName , idToken string ) (* credentials.Credentials , error ) {
516- svc := sts .New (sess )
517- input := & sts.AssumeRoleWithWebIdentityInput {
518- RoleArn : aws .String (roleArn ),
519- RoleSessionName : aws .String (roleSessionName ),
520- WebIdentityToken : aws .String (idToken ),
521- }
522- result , err := svc .AssumeRoleWithWebIdentity (input )
523- if err != nil {
524- log .Fatalf ("failed to assume role with web identity: %v" , err )
525- }
526- return credentials .NewStaticCredentials (* result .Credentials .AccessKeyId , * result .Credentials .SecretAccessKey , * result .Credentials .SessionToken ), nil
492+ svc := sts .New (sess )
493+ input := & sts.AssumeRoleWithWebIdentityInput {
494+ RoleArn : aws .String (roleArn ),
495+ RoleSessionName : aws .String (roleSessionName ),
496+ WebIdentityToken : aws .String (idToken ),
497+ }
498+ result , err := svc .AssumeRoleWithWebIdentity (input )
499+ if err != nil {
500+ log .Fatalf ("failed to assume role with web identity: %v" , err )
501+ }
502+ return credentials .NewStaticCredentials (* result .Credentials .AccessKeyId , * result .Credentials .SecretAccessKey , * result .Credentials .SessionToken ), nil
527503}
0 commit comments