Skip to content

N
nexpie-grafana-theme
Commit dbda5aec by Patrik Karlström Committed by GitHub
Options

cloudwatch: Replicate SDK behaviour for WebIdentityRole (#21594) 

* Replicate SDK behaviour for WebIdentityRole

Fix #20473

* Use WebIdentityRole in s3 uploader as well

* Use consistent casing

* use WebIdentityRole to assume another role

Co-authored-by: eV <ev@7pr.xyz>
parent 431f454d
Showing with 24 additions and 0 deletions
pkg/components/imguploader/s3uploader.go
......@@ -10,10 +10,12 @@ import (
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3/s3manager"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/util"
)
......@@ -57,6 +59,7 @@ func (u *S3Uploader) Upload(ctx context.Context, imageDiskPath string) (string,
}},
&credentials.EnvProvider{},
remoteCredProvider(sess),
webIdentityProvider(sess),
})
cfg := &aws.Config{
Region: aws.String(u.region),
......@@ -96,6 +99,15 @@ func (u *S3Uploader) Upload(ctx context.Context, imageDiskPath string) (string,
return result.Location, nil
}
func webIdentityProvider(sess *session.Session) credentials.Provider {
svc := sts.New(sess)
roleARN := os.Getenv("AWS_ROLE_ARN")
tokenFilepath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
return stscreds.NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, tokenFilepath)
}
func remoteCredProvider(sess *session.Session) credentials.Provider {
ecsCredURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
......
pkg/tsdb/cloudwatch/credentials.go
......@@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/request"
......@@ -60,6 +61,7 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) {
&credentials.EnvProvider{},
&credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile},
remoteCredProvider(stsSess),
webIdentityProvider(stsSess),
})
stsConfig := &aws.Config{
Region: aws.String(dsInfo.Region),
......@@ -105,6 +107,7 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) {
}},
&credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile},
remoteCredProvider(sess),
webIdentityProvider(sess),
})
credentialCacheLock.Lock()
......@@ -117,6 +120,15 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) {
return creds, nil
}
func webIdentityProvider(sess *session.Session) credentials.Provider {
svc := sts.New(sess)
roleARN := os.Getenv("AWS_ROLE_ARN")
tokenFilepath := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
return stscreds.NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, tokenFilepath)
}
func remoteCredProvider(sess *session.Session) credentials.Provider {
ecsCredURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment