Assume user role ARN (#81)

shubham149 · jtallinger · web-flow · commit d1e4b3277502 · 2021-12-02T14:18:00.000+05:30
Co-authored-by: Joakim Tallinger &lt;joakim.tallinger@kone.com&gt;
diff --git a/main.go b/main.go
@@ -47,6 +47,11 @@ func main() {
 			Value:  "drone-s3",
 			EnvVar: "PLUGIN_ASSUME_ROLE_SESSION_NAME,ASSUME_ROLE_SESSION_NAME",
 		},
+		cli.StringFlag{
+			Name:   "user-role-arn",
+			Usage:  "AWS user role",
+			EnvVar: "PLUGIN_USER_ROLE_ARN,AWS_USER_ROLE_ARN",
+		},
 		cli.StringFlag{
 			Name:   "bucket",
 			Usage:  "aws bucket",
@@ -146,6 +151,7 @@ func run(c *cli.Context) error {
 		AssumeRole:            c.String("assume-role"),
 		AssumeRoleSessionName: c.String("assume-role-session-name"),
 		Bucket:                c.String("bucket"),
+		UserRoleArn:           c.String("user-role-arn"),
 		Region:                c.String("region"),
 		Access:                c.String("acl"),
 		Source:                c.String("source"),
diff --git a/plugin.go b/plugin.go
@@ -26,6 +26,7 @@ type Plugin struct {
 	AssumeRole            string
 	AssumeRoleSessionName string
 	Bucket                string
+	UserRoleArn           string
 
 	// if not "", enable server-side encryption
 	// valid values are:
@@ -114,13 +115,24 @@ func (p *Plugin) Exec() error {
 		log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
 	}
 
+	var client *s3.S3
 	sess, err := session.NewSession(conf)
 	if err != nil {
 		log.WithError(err).Errorln("could not instantiate session")
 		return err
 	}
 
-	client := s3.New(sess)
+	// If user role ARN is set then assume role here
+	if len(p.UserRoleArn) > 0 {
+		confRoleArn := aws.Config{
+			Region:      aws.String(p.Region),
+			Credentials: stscreds.NewCredentials(sess, p.UserRoleArn),
+		}
+
+		client = s3.New(sess, &confRoleArn)
+	} else {
+		client = s3.New(sess)
+	}
 
 	// find the bucket
 	log.WithFields(log.Fields{
