@@ -296,6 +296,10 @@ func (r *DataProtectionApplicationReconciler) parseAWSSecret(secret corev1.Secre
296296 const (
297297 accessKeyKey = "aws_access_key_id"
298298 secretKeyKey = "aws_secret_access_key"
299+ // STS specific fields
300+ roleArnKey = "role_arn"
301+ webIdentityTokenFileKey = "web_identity_token_file"
302+ stsRegionalEndpointsKey = "sts_regional_endpoints"
299303 )
300304 if err != nil {
301305 return AWSAccessKey , AWSSecretKey , errors .New ("parseAWSSecret faulty regex: keyNameRegex" )
@@ -308,6 +312,19 @@ func (r *DataProtectionApplicationReconciler) parseAWSSecret(secret corev1.Secre
308312 if err != nil {
309313 return AWSAccessKey , AWSSecretKey , errors .New ("parseAWSSecret faulty regex: awsSecretKeyRegex" )
310314 }
315+ // Compile regex for STS fields
316+ roleArnRegex , err := regexp .Compile (`\b` + roleArnKey + `\b` )
317+ if err != nil {
318+ return AWSAccessKey , AWSSecretKey , errors .New ("parseAWSSecret faulty regex: roleArnRegex" )
319+ }
320+ webIdentityTokenFileRegex , err := regexp .Compile (`\b` + webIdentityTokenFileKey + `\b` )
321+ if err != nil {
322+ return AWSAccessKey , AWSSecretKey , errors .New ("parseAWSSecret faulty regex: webIdentityTokenFileRegex" )
323+ }
324+ stsRegionalEndpointsRegex , err := regexp .Compile (`\b` + stsRegionalEndpointsKey + `\b` )
325+ if err != nil {
326+ return AWSAccessKey , AWSSecretKey , errors .New ("parseAWSSecret faulty regex: stsRegionalEndpointsRegex" )
327+ }
311328 for index , line := range splitString {
312329 if line == "" {
313330 continue
@@ -325,42 +342,78 @@ func (r *DataProtectionApplicationReconciler) parseAWSSecret(secret corev1.Secre
325342 if index + 1 >= len (splitString ) {
326343 break
327344 }
345+
346+ // Check if this profile contains STS fields
347+ hasStsFields := false
328348 for _ , profLine := range splitString [index + 1 :] {
329349 if profLine == "" {
330350 continue
331351 }
332- matchedAccessKey := awsAccessKeyRegex .MatchString (profLine )
333- matchedSecretKey := awsSecretKeyRegex .MatchString (profLine )
352+ if keyNameRegex .MatchString (profLine ) {
353+ // We've reached the next profile
354+ break
355+ }
334356
335- if err != nil {
336- r .Log .Info ("Error finding access key id for the supplied AWS credential" )
337- return AWSAccessKey , AWSSecretKey , err
357+ // Check for STS-specific fields
358+ if roleArnRegex .MatchString (profLine ) ||
359+ webIdentityTokenFileRegex .MatchString (profLine ) ||
360+ stsRegionalEndpointsRegex .MatchString (profLine ) {
361+ hasStsFields = true
362+ r .Log .Info (fmt .Sprintf ("Detected STS authentication in profile %s" , matchProfile ))
363+ // For STS profiles, we return empty strings for access key and secret key
364+ // but don't error out
365+ return "" , "" , nil
338366 }
339- if matchedAccessKey { // check for access key
340- AWSAccessKey , err = r .getMatchedKeyValue (accessKeyKey , profLine )
341- if err != nil {
342- r .Log .Info ("Error processing access key id for the supplied AWS credential" )
343- return AWSAccessKey , AWSSecretKey , err
367+ }
368+
369+ // If not an STS profile, continue with normal AWS credential parsing
370+ if ! hasStsFields {
371+ for _ , profLine := range splitString [index + 1 :] {
372+ if profLine == "" {
373+ continue
344374 }
345- continue
346- } else if matchedSecretKey { // check for secret key
347- AWSSecretKey , err = r .getMatchedKeyValue (secretKeyKey , profLine )
348- if err != nil {
349- r .Log .Info ("Error processing secret key id for the supplied AWS credential" )
350- return AWSAccessKey , AWSSecretKey , err
375+ if keyNameRegex .MatchString (profLine ) {
376+ // We've reached the next profile
377+ break
378+ }
379+
380+ matchedAccessKey := awsAccessKeyRegex .MatchString (profLine )
381+ matchedSecretKey := awsSecretKeyRegex .MatchString (profLine )
382+
383+ if matchedAccessKey { // check for access key
384+ AWSAccessKey , err = r .getMatchedKeyValue (accessKeyKey , profLine )
385+ if err != nil {
386+ r .Log .Info ("Error processing access key id for the supplied AWS credential" )
387+ return AWSAccessKey , AWSSecretKey , err
388+ }
389+ continue
390+ } else if matchedSecretKey { // check for secret key
391+ AWSSecretKey , err = r .getMatchedKeyValue (secretKeyKey , profLine )
392+ if err != nil {
393+ r .Log .Info ("Error processing secret key id for the supplied AWS credential" )
394+ return AWSAccessKey , AWSSecretKey , err
395+ }
396+ continue
351397 }
352- continue
353- } else {
354- break // aws credentials file is only allowed to have profile followed by aws_access_key_id, aws_secret_access_key
355398 }
356399 }
357400 }
358401 }
359402 }
403+
360404 if profile == "" {
361405 r .Log .Info ("Error finding AWS Profile for the supplied AWS credential" )
362406 return AWSAccessKey , AWSSecretKey , errors .New ("error finding AWS Profile for the supplied AWS credential" )
363407 }
408+
409+ // If we get here and both access key and secret key are empty, it means we found the profile
410+ // but it didn't have the expected credentials or STS fields
411+ if AWSAccessKey == "" && AWSSecretKey == "" {
412+ r .Log .Info (fmt .Sprintf ("Profile %s found but no credentials or STS fields detected" , matchProfile ))
413+ return AWSAccessKey , AWSSecretKey , errors .New ("no credentials or STS fields found in profile " + matchProfile )
414+ }
415+
416+ // For regular AWS credentials, both access key and secret key must be present
364417 if AWSAccessKey == "" {
365418 r .Log .Info ("Error finding access key id for the supplied AWS credential" )
366419 return AWSAccessKey , AWSSecretKey , errors .New ("error finding access key id for the supplied AWS credential" )
0 commit comments