Commit eba046d3 by Will Browne Committed by GitHub

Auth: Enable more complete credential chain for SigV4 default SDK auth option (#29065)

* Force more complete credential chain for default auth option

* simplify

* allow assume role for default
parent cb62e699
...@@ -11,7 +11,6 @@ import ( ...@@ -11,7 +11,6 @@ import (
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
v4 "github.com/aws/aws-sdk-go/aws/signer/v4" v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
"github.com/aws/aws-sdk-go/private/protocol/rest" "github.com/aws/aws-sdk-go/private/protocol/rest"
...@@ -90,12 +89,33 @@ func (m *SigV4Middleware) signRequest(req *http.Request) (http.Header, error) { ...@@ -90,12 +89,33 @@ func (m *SigV4Middleware) signRequest(req *http.Request) (http.Header, error) {
} }
func (m *SigV4Middleware) signer() (*v4.Signer, error) { func (m *SigV4Middleware) signer() (*v4.Signer, error) {
c, err := m.credentials() authType := AuthType(m.Config.AuthType)
var c *credentials.Credentials
switch authType {
case Keys:
c = credentials.NewStaticCredentials(m.Config.AccessKey, m.Config.SecretKey, "")
case Credentials:
c = credentials.NewSharedCredentials("", m.Config.Profile)
}
// passing nil credentials will force AWS to allow a more complete credential chain vs the explicit default
if c == nil {
s, err := session.NewSession(&aws.Config{
Region: aws.String(m.Config.Region),
})
if err != nil { if err != nil {
return nil, err return nil, err
} }
if m.Config.AssumeRoleARN != "" { if m.Config.AssumeRoleARN != "" {
return v4.NewSigner(stscreds.NewCredentials(s, m.Config.AssumeRoleARN)), nil
}
return v4.NewSigner(s.Config.Credentials), nil
}
if m.Config.AssumeRoleARN != "" {
s, err := session.NewSession(&aws.Config{ s, err := session.NewSession(&aws.Config{
Region: aws.String(m.Config.Region), Region: aws.String(m.Config.Region),
Credentials: c}, Credentials: c},
...@@ -109,21 +129,6 @@ func (m *SigV4Middleware) signer() (*v4.Signer, error) { ...@@ -109,21 +129,6 @@ func (m *SigV4Middleware) signer() (*v4.Signer, error) {
return v4.NewSigner(c), nil return v4.NewSigner(c), nil
} }
func (m *SigV4Middleware) credentials() (*credentials.Credentials, error) {
authType := AuthType(m.Config.AuthType)
switch authType {
case Default:
return defaults.CredChain(defaults.Config(), defaults.Handlers()), nil
case Keys:
return credentials.NewStaticCredentials(m.Config.AccessKey, m.Config.SecretKey, ""), nil
case Credentials:
return credentials.NewSharedCredentials("", m.Config.Profile), nil
}
return nil, fmt.Errorf("unrecognized authType: %s", authType)
}
func replaceBody(req *http.Request) ([]byte, error) { func replaceBody(req *http.Request) ([]byte, error) {
if req.Body == nil { if req.Body == nil {
return []byte{}, nil return []byte{}, nil
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment