From b9076d6b58e65d9e5d6d9b62cf7be516c7c635a2 Mon Sep 17 00:00:00 2001 From: Tianyi Wang Date: Mon, 11 Dec 2023 15:57:00 -0500 Subject: [PATCH 1/2] Insert LoadOptions into cred chain switch --- config/resolve_credentials.go | 24 ++++++++++++++++++++++++ config/resolve_web_identity_test.go | 28 ++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/config/resolve_credentials.go b/config/resolve_credentials.go index 89368520f3f..d3fffab9d3f 100644 --- a/config/resolve_credentials.go +++ b/config/resolve_credentials.go @@ -110,7 +110,11 @@ func resolveCredentialChain(ctx context.Context, cfg *aws.Config, configs config return err } + loadOptions := getLoadOptions(other) + switch { + case loadOptions.WebIdentityRoleCredentialOptions != nil: + err = assumeWebIdentity(ctx, cfg, "WebIdTokenFilePathPlaceHolder", "RoleARNFPlaceHolder", "RoleSessionNamePlaceHolder", configs) case sharedProfileSet: err = resolveCredsFromProfile(ctx, cfg, envConfig, sharedConfig, other) case envConfig.Credentials.HasKeys(): @@ -182,6 +186,26 @@ func resolveCredsFromProfile(ctx context.Context, cfg *aws.Config, envConfig *En return nil } +func getLoadOptions(cfgs configs) (loadOptions *LoadOptions) { + for _, cfg := range cfgs { + switch c := cfg.(type) { + case LoadOptions: + if loadOptions == nil { + loadOptions = &c + } + case *LoadOptions: + if loadOptions == nil { + loadOptions = c + } + default: + } + } + if loadOptions == nil { + loadOptions = &LoadOptions{} + } + return +} + func resolveSSOCredentials(ctx context.Context, cfg *aws.Config, sharedConfig *SharedConfig, configs configs) error { if err := sharedConfig.validateSSOConfiguration(); err != nil { return err diff --git a/config/resolve_web_identity_test.go b/config/resolve_web_identity_test.go index 895cdbf5eff..b267a79fb97 100644 --- a/config/resolve_web_identity_test.go +++ b/config/resolve_web_identity_test.go @@ -2,7 +2,9 @@ package config import ( "context" + "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/credentials/stscreds" + "github.com/aws/aws-sdk-go-v2/feature/ec2/imds" "github.com/aws/aws-sdk-go-v2/internal/awstesting" "os" "path/filepath" @@ -56,4 +58,30 @@ func TestResolveWebIdentityWithOptions(t *testing.T) { t.Fatalf("expected profile parsing error, got %v", err) } }) + + t.Run("token supplied directly from loadOptions", func(t *testing.T) { + restoreEnv := initConfigTestEnv() + defer awstesting.PopEnv(restoreEnv) + + var tokenFile = filepath.Join("testdata", "wit.txt") + os.Setenv("AWS_REGION", "us-east-1") + + config, err := LoadDefaultConfig(context.Background(), + WithEC2IMDSClientEnableState(imds.ClientDisabled), + WithWebIdentityRoleCredentialOptions(func(options *stscreds.WebIdentityRoleOptions) { + options.TokenRetriever = stscreds.IdentityTokenFile(tokenFile) + options.RoleARN = "test-arn" + options.RoleSessionName = "test-session" + }), + ) + + if err != nil { + t.Fatalf("expect no error, got %v", err) + } + + target := stscreds.WebIdentityRoleProvider{} + if !aws.IsCredentialsProvider(config.Credentials, &target) { + t.Fatalf("expected type %T", target) + } + }) } From 6041fdf4781ef517367bf99b6a648d97aee2c5e7 Mon Sep 17 00:00:00 2001 From: Tianyi Wang Date: Mon, 11 Dec 2023 16:00:14 -0500 Subject: [PATCH 2/2] Add changelog --- .changelog/ade6f215447f4db38352c773474788a4.json | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .changelog/ade6f215447f4db38352c773474788a4.json diff --git a/.changelog/ade6f215447f4db38352c773474788a4.json b/.changelog/ade6f215447f4db38352c773474788a4.json new file mode 100644 index 00000000000..e13af2a0e72 --- /dev/null +++ b/.changelog/ade6f215447f4db38352c773474788a4.json @@ -0,0 +1,8 @@ +{ + "id": "ade6f215-447f-4db3-8352-c773474788a4", + "type": "bugfix", + "description": "Insert LoadOptions into cred chain switch to enable directly loading web identity role", + "modules": [ + "config" + ] +} \ No newline at end of file