diff --git a/.gitignore b/.gitignore index a96eae5..9638798 100644 --- a/.gitignore +++ b/.gitignore @@ -23,8 +23,10 @@ _testmain.go *.test *.prof +.idea/ release/ vendor/ coverage.out drone-s3 +dockerfile \ No newline at end of file diff --git a/plugin.go b/plugin.go index 4b461e7..331e6ee 100644 --- a/plugin.go +++ b/plugin.go @@ -99,7 +99,7 @@ type Plugin struct { // set externalID for assume role ExternalID string - // set OIDC ID Token to retrieve temporary credentials + // set OIDC ID Token to retrieve temporary credentials IdToken string } @@ -441,14 +441,14 @@ func (p *Plugin) createS3Client() *s3.S3 { S3ForcePathStyle: aws.Bool(p.PathStyle), } - sess, err := session.NewSession(conf) - if err != nil { - log.Fatalf("failed to create AWS session: %v", err) - } - if p.Key != "" && p.Secret != "" { conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "") } else if p.IdToken != "" && p.AssumeRole != "" { + sess, err := session.NewSession(conf) + if err != nil { + log.Fatalf("failed to create interim AWS session to assume role with web identity: %v", err) + } + creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken) if err != nil { log.Fatalf("failed to assume role with web identity: %v", err) @@ -460,6 +460,11 @@ func (p *Plugin) createS3Client() *s3.S3 { log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)") } + sess, err := session.NewSession(conf) + if err != nil { + log.Fatalf("failed to create AWS session: %v", err) + } + client := s3.New(sess, conf) if len(p.UserRoleArn) > 0 { @@ -485,4 +490,4 @@ func assumeRoleWithWebIdentity(sess *session.Session, roleArn, roleSessionName, log.Fatalf("failed to assume role with web identity: %v", err) } return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil -} \ No newline at end of file +}