Merge branch 'master' into 110-optional-acl

nhandler · web-flow · commit 9070b334a3e2 · 2023-08-30T10:47:17.000-05:00
diff --git a/main.go b/main.go
@@ -131,6 +131,11 @@ func main() {
 			Name:  "env-file",
 			Usage: "source env file",
 		},
+		cli.StringFlag{
+			Name:   "external-id",
+			Usage:  "external ID to use when assuming role",
+			EnvVar: "PLUGIN_EXTERNAL_ID",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -164,6 +169,7 @@ func run(c *cli.Context) error {
 		StorageClass:          c.String("storage-class"),
 		PathStyle:             c.Bool("path-style"),
 		DryRun:                c.Bool("dry-run"),
+		ExternalID:            c.String("external-id"),
 	}
 
 	return plugin.Exec()
diff --git a/plugin.go b/plugin.go
@@ -90,6 +90,9 @@ type Plugin struct {
 	PathStyle bool
 	// Dry run without uploading/
 	DryRun bool
+
+	// set externalID for assume role
+	ExternalID string
 }
 
 // Exec runs the plugin
@@ -108,7 +111,7 @@ func (p *Plugin) Exec() error {
 	if p.Key != "" && p.Secret != "" {
 		conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
 	} else if p.AssumeRole != "" {
-		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName)
+		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
 	} else {
 		log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
 	}
@@ -290,7 +293,7 @@ func matchExtension(match string, stringMap map[string]string) string {
 	return ""
 }
 
-func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {
+func assumeRole(roleArn, roleSessionName, externalID string) *credentials.Credentials {
 	sess, _ := session.NewSession()
 	client := sts.New(sess)
 	duration := time.Hour * 1
@@ -301,6 +304,10 @@ func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {
 		RoleSessionName: roleSessionName,
 	}
 
+	if externalID != "" {
+		stsProvider.ExternalID = &externalID
+	}
+
 	return credentials.NewCredentials(stsProvider)
 }
 
@@ -321,17 +328,17 @@ func isDir(source string, matches []string) bool {
 	if err != nil {
 		return true // should never happen
 	}
-	if (stat.IsDir()) {
+	if stat.IsDir() {
 		count := 0
 		for _, match := range matches {
 			if strings.HasPrefix(match, source) {
-				count++;
+				count++
 			}
 		}
 		if count <= 1 {
 			log.Warnf("Skipping '%s' since it is a directory. Please use correct glob expression if this is unexpected.", source)
 		}
-		return true;
+		return true
 	}
 	return false
 }

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ type Plugin struct {`
`90`	`90`	`PathStyle bool`
`91`	`91`	`// Dry run without uploading/`
`92`	`92`	`DryRun bool`
	`93`	`+`
	`94`	`+ // set externalID for assume role`
	`95`	`+ ExternalID string`
`93`	`96`	`}`
`94`	`97`
`95`	`98`	`// Exec runs the plugin`
`@@ -108,7 +111,7 @@ func (p *Plugin) Exec() error {`
`108`	`111`	`if p.Key != "" && p.Secret != "" {`
`109`	`112`	`conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")`
`110`	`113`	`} else if p.AssumeRole != "" {`
`111`		`- conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName)`
	`114`	`+ conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)`
`112`	`115`	`} else {`
`113`	`116`	`log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")`
`114`	`117`	`}`
`@@ -290,7 +293,7 @@ func matchExtension(match string, stringMap map[string]string) string {`
`290`	`293`	`return ""`
`291`	`294`	`}`
`292`	`295`
`293`		`-func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {`
	`296`	`+func assumeRole(roleArn, roleSessionName, externalID string) *credentials.Credentials {`
`294`	`297`	`sess, _ := session.NewSession()`
`295`	`298`	`client := sts.New(sess)`
`296`	`299`	`duration := time.Hour * 1`
`@@ -301,6 +304,10 @@ func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {`
`301`	`304`	`RoleSessionName: roleSessionName,`
`302`	`305`	`}`
`303`	`306`
	`307`	`+ if externalID != "" {`
	`308`	`+ stsProvider.ExternalID = &externalID`
	`309`	`+ }`
	`310`	`+`
`304`	`311`	`return credentials.NewCredentials(stsProvider)`
`305`	`312`	`}`
`306`	`313`
`@@ -321,17 +328,17 @@ func isDir(source string, matches []string) bool {`
`321`	`328`	`if err != nil {`
`322`	`329`	`return true // should never happen`
`323`	`330`	`}`
`324`		`- if (stat.IsDir()) {`
	`331`	`+ if stat.IsDir() {`
`325`	`332`	`count := 0`
`326`	`333`	`for _, match := range matches {`
`327`	`334`	`if strings.HasPrefix(match, source) {`
`328`		`- count++;`
	`335`	`+ count++`
`329`	`336`	`}`
`330`	`337`	`}`
`331`	`338`	`if count <= 1 {`
`332`	`339`	`log.Warnf("Skipping '%s' since it is a directory. Please use correct glob expression if this is unexpected.", source)`
`333`	`340`	`}`
`334`		`- return true;`
	`341`	`+ return true`
`335`	`342`	`}`
`336`	`343`	`return false`
`337`	`344`	`}`