drone-plugins · jtallinger · Jun 26, 2024
diff --git a/.gitignore b/.gitignore
@@ -23,8 +23,10 @@ _testmain.go
 *.test
 *.prof
 
+.idea/
 release/
 vendor/
 
 coverage.out
 drone-s3
+dockerfile
diff --git a/plugin.go b/plugin.go
@@ -99,7 +99,7 @@ type Plugin struct {
 	// set externalID for assume role
 	ExternalID string
 
-	// set OIDC ID Token to retrieve temporary credentials 
+	// set OIDC ID Token to retrieve temporary credentials
 	IdToken string
 }
 
@@ -441,14 +441,14 @@ func (p *Plugin) createS3Client() *s3.S3 {
         S3ForcePathStyle: aws.Bool(p.PathStyle),
     }
 
-    sess, err := session.NewSession(conf)
-    if err != nil {
-        log.Fatalf("failed to create AWS session: %v", err)
-    }
-
     if p.Key != "" && p.Secret != "" {
         conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
     } else if p.IdToken != "" && p.AssumeRole != "" {
+        sess, err := session.NewSession(conf)
+        if err != nil {
+            log.Fatalf("failed to create interim AWS session to assume role with web identity: %v", err)
+        }
+
         creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken)
         if err != nil {
             log.Fatalf("failed to assume role with web identity: %v", err)
@@ -460,6 +460,11 @@ func (p *Plugin) createS3Client() *s3.S3 {
         log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
     }
 
+    sess, err := session.NewSession(conf)
+    if err != nil {
+        log.Fatalf("failed to create AWS session: %v", err)
+    }
+
     client := s3.New(sess, conf)
 
     if len(p.UserRoleArn) > 0 {
@@ -485,4 +490,4 @@ func assumeRoleWithWebIdentity(sess *session.Session, roleArn, roleSessionName,
         log.Fatalf("failed to assume role with web identity: %v", err)
     }
     return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil
-}
+}