[RFC-0010] Add aws auth library

auth/aws/credentials_provider.go

@@ -0,0 +1,59 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+type credentialsProvider struct {
+	ctx  context.Context
+	opts []auth.Option
+}
+
+// NewCredentialsProvider creates a new credentials provider for the given options.
+func NewCredentialsProvider(ctx context.Context, opts ...auth.Option) aws.CredentialsProvider {
+	return &credentialsProvider{ctx, opts}
+}
+
+// Retrieve implements aws.CredentialsProvider.
+// The context is ignored, use the constructor to set the context.
+// This is because some callers of the library pass context.Background()
+// when calling this method, so to ensure we have a real context we pass
+// it in the constructor.
+func (c *credentialsProvider) Retrieve(context.Context) (aws.Credentials, error) {
+	token, err := auth.GetToken(c.ctx, Provider{}, c.opts...)
+	if err != nil {
+		return aws.Credentials{}, err
+	}
+	awsToken, ok := token.(*Token)
+	if !ok {
+		return aws.Credentials{}, fmt.Errorf("failed to cast token to AWS token: %T", token)
+	}
+	return aws.Credentials{
+		AccessKeyID:     *awsToken.AccessKeyId,
+		SecretAccessKey: *awsToken.SecretAccessKey,
+		SessionToken:    *awsToken.SessionToken,
+		Expires:         *awsToken.Expiration,
+		CanExpire:       true,
+	}, nil
+}

auth/aws/options.go

@@ -0,0 +1,66 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func getRegion() string {
+	// The AWS_REGION is usually automatically set in EKS clusters.
+	// If not set users can set it manually (e.g. Fargate).
+	return os.Getenv("AWS_REGION")
+}
+
+const roleARNPattern = `^arn:aws:iam::[0-9]{1,30}:role/.{1,200}$`
+
+var roleARNRegex = regexp.MustCompile(roleARNPattern)
+
+func getRoleARN(serviceAccount corev1.ServiceAccount) (string, error) {
+	arn := serviceAccount.Annotations["eks.amazonaws.com/role-arn"]
+	if !roleARNRegex.MatchString(arn) {
+		return "", fmt.Errorf("invalid AWS role ARN: '%s'. must match %s",
+			arn, roleARNPattern)
+	}
+	return arn, nil
+}
+
+func getRoleSessionName(serviceAccount corev1.ServiceAccount) string {
+	name := serviceAccount.Name
+	namespace := serviceAccount.Namespace
+	region := getRegion()
+	return fmt.Sprintf("%s.%s.%s.fluxcd.io", name, namespace, region)
+}
+
+// This regex is sourced from the AWS ECR Credential Helper (https://github.com/awslabs/amazon-ecr-credential-helper).
+// It covers both public AWS partitions like amazonaws.com, China partitions like amazonaws.com.cn, and non-public partitions.
+var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`)
+
+// ParseRegistry returns the AWS account ID and region and `true` if
+// the image registry/repository is hosted in AWS's Elastic Container Registry,
+// otherwise empty strings and `false`.
+func ParseRegistry(registry string) (accountId, awsEcrRegion string, ok bool) {
+	registryParts := registryPartRe.FindAllStringSubmatch(registry, -1)
+	if len(registryParts) < 1 || len(registryParts[0]) < 3 {
+		return "", "", false
+	}
+	return registryParts[0][1], registryParts[0][2], true
+}

auth/aws/options_test.go

@@ -0,0 +1,115 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+
+	"github.com/fluxcd/pkg/auth/aws"
+)
+
+func TestParseRegistry(t *testing.T) {
+	tests := []struct {
+		registry      string
+		wantAccountID string
+		wantRegion    string
+		wantOK        bool
+	}{
+		{
+			registry:      "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo:v1",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-east-1",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-east-1",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.us-east-1.amazonaws.com",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-east-1",
+			wantOK:        true,
+		},
+		{
+			registry:      "https://012345678901.dkr.ecr.us-east-1.amazonaws.com/v2/part/part",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-east-1",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.cn-north-1.amazonaws.com.cn/foo",
+			wantAccountID: "012345678901",
+			wantRegion:    "cn-north-1",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr-fips.us-gov-west-1.amazonaws.com",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-gov-west-1",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.us-secret-region.sc2s.sgov.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-secret-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr-fips.us-ts-region.c2s.ic.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-ts-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.uk-region.cloud.adc-e.uk",
+			wantAccountID: "012345678901",
+			wantRegion:    "uk-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.us-ts-region.csp.hci.ic.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-ts-region",
+			wantOK:        true,
+		},
+		// TODO: Fix: this invalid registry is allowed by the regex.
+		// {
+		// 	registry: ".dkr.ecr.error.amazonaws.com",
+		// 	wantOK:   false,
+		// },
+		{
+			registry: "gcr.io/foo/bar:baz",
+			wantOK:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.registry, func(t *testing.T) {
+			g := NewWithT(t)
+
+			accId, region, ok := aws.ParseRegistry(tt.registry)
+			g.Expect(ok).To(Equal(tt.wantOK), "unexpected OK")
+			g.Expect(accId).To(Equal(tt.wantAccountID), "unexpected account IDs")
+			g.Expect(region).To(Equal(tt.wantRegion), "unexpected regions")
+		})
+	}
+}