internal/boxcli: add devbox cache credentials (#1960)

gcurtis · web-flow · commit cd883bfb6166 · 2024-04-08T10:39:04.000-07:00
The `devbox cache credentials` subcommand prints out short-lived AWS STS
credentials that grant access to the user's Nix cache.

The output follows the format described in `aws help config-vars` under
`Sourcing Credentials From External Processes`. This allows the AWS
CLI/SDKs to obtain credentials from Devbox. For example:

	[default]
	credential_process = /usr/local/bin/devbox cache credentials

Because Nix uses the AWS SDK's default credential chain, this allows it
to automatically authenticate with private Devbox caches.

Note: this can be improved by using the newer credentials-only API
endpoint, which is faster.
diff --git a/internal/boxcli/cache.go b/internal/boxcli/cache.go
@@ -4,11 +4,14 @@
 package boxcli
 
 import (
+	"encoding/json"
+
 	"github.com/MakeNowJust/heredoc/v2"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"go.jetpack.io/devbox/internal/devbox"
 	"go.jetpack.io/devbox/internal/devbox/devopt"
+	"go.jetpack.io/devbox/internal/devbox/providers/nixcache"
 )
 
 type cacheFlags struct {
@@ -58,7 +61,41 @@ func cacheCmd() *cobra.Command {
 		&flags.to, "to", "", "URI of the cache to copy to")
 
 	cacheCommand.AddCommand(uploadCommand)
+	cacheCommand.AddCommand(cacheCredentialsCmd())
 	cacheCommand.Hidden = true
 
 	return cacheCommand
 }
+
+func cacheCredentialsCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:    "credentials",
+		Short:  "Output S3 cache credentials",
+		Hidden: true,
+		Args:   cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, err := nixcache.Get().Config(cmd.Context())
+			if err != nil {
+				return err
+			}
+
+			creds := struct {
+				Version         int    `json:"Version"`
+				AccessKeyID     string `json:"AccessKeyId"`
+				SecretAccessKey string `json:"SecretAccessKey"`
+				SessionToken    string `json:"SessionToken"`
+			}{
+				Version:         1,
+				AccessKeyID:     *cfg.Credentials.AccessKeyId,
+				SecretAccessKey: *cfg.Credentials.SecretKey,
+				SessionToken:    *cfg.Credentials.SessionToken,
+			}
+			out, err := json.Marshal(creds)
+			if err != nil {
+				return err
+			}
+			_, _ = cmd.OutOrStdout().Write(out)
+			return nil
+		},
+	}
+}
