Add support for multi-tenant-temp-creds (#213)

Author: iwysiu

pkg/awsauth/auth.go

@@ -3,6 +3,7 @@ package awsauth
 import (
 	"context"
 	"fmt"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"strings"
@@ -44,8 +45,10 @@ func (rcp *awsConfigProvider) GetConfig(ctx context.Context, authSettings Settin
 	case AuthTypeDefault: // nothing else to do here
 	case AuthTypeKeys:
 		options = append(options, authSettings.WithStaticCredentials(rcp.client))
-	case AuthTypeSharedCreds, AuthTypeGrafanaAssumeRole:
+	case AuthTypeSharedCreds:
 		options = append(options, authSettings.WithSharedCredentials())
+	case AuthTypeGrafanaAssumeRole:
+		options = append(options, authSettings.WithGrafanaAssumeRole(ctx, rcp.client))
 	case AuthTypeEC2IAMRole:
 		// TODO: test this
 		options = append(options, authSettings.WithEC2RoleCredentials(rcp.client))

pkg/awsauth/settings.go

@@ -1,15 +1,17 @@
 package awsauth
 
 import (
+	"context"
 	"fmt"
-	"github.com/aws/aws-sdk-go-v2/aws/middleware"
 	"hash/fnv"
 	"net/http"
 	"os"
 	"runtime"
 	"strconv"
 	"strings"
 
+	"github.com/aws/aws-sdk-go-v2/aws/middleware"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
@@ -20,6 +22,12 @@ import (
 	"github.com/grafana/grafana-plugin-sdk-go/build"
 )
 
+const (
+	// awsTempCredsAccessKey and awsTempCredsSecretKey are the files containing the
+	awsTempCredsAccessKey = "~/tmp/aws.credentials/access-key-id"
+	awsTempCredsSecretKey = "~/tmp/aws.credentials/secret-access-key"
+)
+
 // Settings carries configuration for authenticating with AWS
 type Settings struct {
 	AuthType AuthType
@@ -104,12 +112,39 @@ func (s Settings) WithStaticCredentials(client AWSAPIClient) LoadOptionsFunc {
 
 // WithSharedCredentials returns a LoadOptionsFunc to initialize config from a credentials file
 func (s Settings) WithSharedCredentials() LoadOptionsFunc {
-	profile := s.CredentialsProfile
-	if s.GetAuthType() == AuthTypeGrafanaAssumeRole {
-		profile = "assume_role_credentials"
+	return func(options *config.LoadOptions) error {
+		options.SharedConfigProfile = s.CredentialsProfile
+		if s.CredentialsPath != "" {
+			options.SharedCredentialsFiles = []string{s.CredentialsPath}
+		}
+		return nil
 	}
+}
+
+// WithGrafanaAssumeRole returns a LoadOptionsFunc to initialize config for Grafana Assume Role
+func (s Settings) WithGrafanaAssumeRole(ctx context.Context, client AWSAPIClient) LoadOptionsFunc {
+	if IsEnabled(ctx, FlagMultiTenantTempCredentials) {
+		accessKey, err := os.ReadFile(awsTempCredsAccessKey)
+		if err != nil {
+			return func(opts *config.LoadOptions) error {
+				return err
+			}
+		}
+		secretKey, err := os.ReadFile(awsTempCredsSecretKey)
+		if err != nil {
+			return func(opts *config.LoadOptions) error {
+				return err
+			}
+		}
+		return func(opts *config.LoadOptions) error {
+			opts.Credentials = client.NewStaticCredentialsProvider(string(accessKey), string(secretKey), "")
+			return nil
+		}
+	}
+
+	// if it is running in single tenant use the credentials file
 	return func(options *config.LoadOptions) error {
-		options.SharedConfigProfile = profile
+		options.SharedConfigProfile = awsds.ProfileName
 		if s.CredentialsPath != "" {
 			options.SharedCredentialsFiles = []string{s.CredentialsPath}
 		}

pkg/awsauth/utils.go

@@ -0,0 +1,15 @@
+package awsauth
+
+import (
+	"context"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend"
+)
+
+const (
+	FlagMultiTenantTempCredentials = "multiTenantTempCredentials"
+)
+
+func IsEnabled(ctx context.Context, feature string) bool {
+	return backend.GrafanaConfigFromContext(ctx).FeatureToggles().IsEnabled(feature)
+}