fixup! [RFC-0010] Add multi-tenant workload identity support for AWS Bucket

cappyzawa · cappyzawa · commit ef755b2d1c58 · 2025-08-14T15:51:47.000+09:00
Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/docs/spec/v1/buckets.md b/docs/spec/v1/buckets.md
@@ -268,24 +268,6 @@ data:
   secretkey: <BASE64>
 ```
 
-##### AWS Controller-Level Workload Identity example
-
-```yaml
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: Bucket
-metadata:
-  name: aws-controller-level-workload-identity
-  namespace: default
-spec:
-  interval: 5m0s
-  provider: aws
-  bucketName: podinfo
-  endpoint: s3.amazonaws.com
-  region: us-east-1
-  timeout: 30s
-```
-
 ##### AWS Object-Level Workload Identity example
 
 **Note:** To use Object-Level Workload Identity (`.spec.serviceAccountName` with 
diff --git a/internal/bucket/minio/minio.go b/internal/bucket/minio/minio.go
@@ -116,7 +116,7 @@ func NewClient(ctx context.Context, bucket *sourcev1.Bucket, opts ...Option) (*M
 	case o.secret != nil:
 		minioOpts.Creds = newCredsFromSecret(o.secret)
 	case bucketProvider == sourcev1.BucketProviderAmazon:
-		creds, err := newAWSCreds(ctx, &o)
+		creds, err := newAWSCreds(ctx, bucket, &o)
 		if err != nil {
 			return nil, err
 		}
@@ -177,27 +177,45 @@ func newCredsFromSecret(secret *corev1.Secret) *credentials.Credentials {
 //
 // This function is only called when Secret authentication is not available.
 //
-// Uses AWS SDK's config.LoadDefaultConfig() which supports:
-// - Workload Identity (IRSA/EKS Pod Identity)
-// - EC2 instance profiles
-// - Environment variables
-// - Shared credentials files
-// - All other AWS SDK authentication methods
-func newAWSCreds(ctx context.Context, o *options) (*credentials.Credentials, error) {
+// Authentication priority order:
+// 1. Object Level Workload Identity (if serviceAccountName is specified)
+// 2. AWS credential chain (EC2 instance profiles, environment variables, etc.)
+func newAWSCreds(ctx context.Context, bucket *sourcev1.Bucket, o *options) (*credentials.Credentials, error) {
 	var opts auth.Options
 	opts.Apply(o.authOpts...)
 
-	awsCredsProvider := awsauth.NewCredentialsProvider(ctx, o.authOpts...)
-	awsCreds, err := awsCredsProvider.Retrieve(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("AWS authentication failed: %w", err)
+	// 1. Try Object Level Workload Identity if serviceAccountName is specified
+	if opts.ServiceAccount != nil {
+		awsCredsProvider := awsauth.NewCredentialsProvider(ctx, o.authOpts...)
+		awsCreds, err := awsCredsProvider.Retrieve(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("Object Level Workload Identity authentication failed: %w", err)
+		}
+
+		return credentials.NewStaticV4(
+			awsCreds.AccessKeyID,
+			awsCreds.SecretAccessKey,
+			awsCreds.SessionToken,
+		), nil
 	}
 
-	return credentials.NewStaticV4(
-		awsCreds.AccessKeyID,
-		awsCreds.SecretAccessKey,
-		awsCreds.SessionToken,
-	), nil
+	// 2. AWS credential chain
+	stsEndpoint := ""
+	if sts := bucket.Spec.STS; sts != nil {
+		stsEndpoint = sts.Endpoint
+	}
+
+	if o.proxyURL != nil {
+		transport := http.DefaultTransport.(*http.Transport).Clone()
+		transport.Proxy = http.ProxyURL(o.proxyURL)
+		client := &http.Client{Transport: transport}
+		return credentials.New(&credentials.IAM{
+			Client:   client,
+			Endpoint: stsEndpoint,
+		}), nil
+	} else {
+		return credentials.NewIAM(stsEndpoint), nil
+	}
 }
 
 // newGenericCreds creates a new Minio credentials object for the `generic` bucket provider.
diff --git a/internal/bucket/minio/minio_test.go b/internal/bucket/minio/minio_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/json"
 	"encoding/xml"
 	"errors"
 	"fmt"
@@ -249,8 +250,8 @@ func TestNewClientAWSProvider(t *testing.T) {
 	t.Run("without secret", func(t *testing.T) {
 		bucket := bucketStub(bucketAwsProvider, testMinioAddress)
 		minioClient, err := NewClient(ctx, bucket)
-		assert.ErrorContains(t, err, "AWS authentication failed")
-		assert.Assert(t, minioClient == nil)
+		assert.NilError(t, err)
+		assert.Assert(t, minioClient != nil)
 	})
 }
 
@@ -274,8 +275,43 @@ func TestFGetObject(t *testing.T) {
 }
 
 func TestNewClientAndFGetObjectWithSTSEndpoint(t *testing.T) {
+	// start a mock AWS STS server
+	awsSTSListener, awsSTSAddr, awsSTSPort := testlistener.New(t)
+	awsSTSEndpoint := fmt.Sprintf("http://%s", awsSTSAddr)
+	awsSTSHandler := http.NewServeMux()
+	awsSTSHandler.HandleFunc("PUT "+credentials.TokenPath,
+		func(w http.ResponseWriter, r *http.Request) {
+			_, err := w.Write([]byte("mock-token"))
+			assert.NilError(t, err)
+		})
+	awsSTSHandler.HandleFunc("GET "+credentials.DefaultIAMSecurityCredsPath,
+		func(w http.ResponseWriter, r *http.Request) {
+			token := r.Header.Get(credentials.TokenRequestHeader)
+			assert.Equal(t, token, "mock-token")
+			_, err := w.Write([]byte("mock-role"))
+			assert.NilError(t, err)
+		})
 	var credsRetrieved bool
 
+	awsSTSHandler.HandleFunc("GET "+credentials.DefaultIAMSecurityCredsPath+"mock-role",
+		func(w http.ResponseWriter, r *http.Request) {
+			token := r.Header.Get(credentials.TokenRequestHeader)
+			assert.Equal(t, token, "mock-token")
+			err := json.NewEncoder(w).Encode(map[string]any{
+				"Code":            "Success",
+				"AccessKeyID":     testMinioRootUser,
+				"SecretAccessKey": testMinioRootPassword,
+			})
+			assert.NilError(t, err)
+			credsRetrieved = true
+		})
+	awsSTSServer := &http.Server{
+		Addr:    awsSTSAddr,
+		Handler: awsSTSHandler,
+	}
+	go awsSTSServer.Serve(awsSTSListener)
+	defer awsSTSServer.Shutdown(context.Background())
+
 	// start a mock LDAP STS server
 	ldapSTSListener, ldapSTSAddr, ldapSTSPort := testlistener.New(t)
 	ldapSTSEndpoint := fmt.Sprintf("https://%s", ldapSTSAddr)
@@ -315,6 +351,42 @@ func TestNewClientAndFGetObjectWithSTSEndpoint(t *testing.T) {
 		ldapPassword string
 		err          string
 	}{
+		{
+			name:     "with correct aws endpoint",
+			provider: "aws",
+			stsSpec: &sourcev1.BucketSTSSpec{
+				Provider: "aws",
+				Endpoint: awsSTSEndpoint,
+			},
+		},
+		{
+			name:     "with incorrect aws endpoint",
+			provider: "aws",
+			stsSpec: &sourcev1.BucketSTSSpec{
+				Provider: "aws",
+				Endpoint: fmt.Sprintf("http://localhost:%d", awsSTSPort+1),
+			},
+			err: "connection refused",
+		},
+		{
+			name:     "with correct aws endpoint and proxy",
+			provider: "aws",
+			stsSpec: &sourcev1.BucketSTSSpec{
+				Provider: "aws",
+				Endpoint: awsSTSEndpoint,
+			},
+			opts: []Option{WithProxyURL(&url.URL{Scheme: "http", Host: proxyAddr})},
+		},
+		{
+			name:     "with correct aws endpoint and incorrect proxy",
+			provider: "aws",
+			stsSpec: &sourcev1.BucketSTSSpec{
+				Provider: "aws",
+				Endpoint: awsSTSEndpoint,
+			},
+			opts: []Option{WithProxyURL(&url.URL{Scheme: "http", Host: fmt.Sprintf("localhost:%d", proxyPort+1)})},
+			err:  "connection refused",
+		},
 		{
 			name:     "with correct ldap endpoint",
 			provider: "generic",
