github.com/argoproj/argo-events@v1.9.1/eventsources/common/aws/aws.go (about)

     1  /*
     2  Copyright 2018 BlackRock, Inc.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8  	http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package aws
    18  
    19  import (
    20  	"fmt"
    21  
    22  	"github.com/aws/aws-sdk-go/aws"
    23  	"github.com/aws/aws-sdk-go/aws/credentials"
    24  	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
    25  	"github.com/aws/aws-sdk-go/aws/session"
    26  	corev1 "k8s.io/api/core/v1"
    27  
    28  	"github.com/argoproj/argo-events/common"
    29  )
    30  
    31  // GetAWSCredFromEnvironment reads credential stored in ENV by using envFrom.
    32  func GetAWSCredFromEnvironment(access *corev1.SecretKeySelector, secret *corev1.SecretKeySelector) (*credentials.Credentials, error) {
    33  	accessKey, ok := common.GetEnvFromSecret(access)
    34  	if !ok {
    35  		return nil, fmt.Errorf("can not find envFrom %v", access)
    36  	}
    37  	secretKey, ok := common.GetEnvFromSecret(secret)
    38  	if !ok {
    39  		return nil, fmt.Errorf("can not find envFrom %v", secret)
    40  	}
    41  	return credentials.NewStaticCredentialsFromCreds(credentials.Value{
    42  		AccessKeyID:     accessKey,
    43  		SecretAccessKey: secretKey,
    44  	}), nil
    45  }
    46  
    47  // GetAWSCredFromVolume reads credential stored in mounted secret volume.
    48  func GetAWSCredFromVolume(access *corev1.SecretKeySelector, secret *corev1.SecretKeySelector, sessionToken *corev1.SecretKeySelector) (*credentials.Credentials, error) {
    49  	accessKey, err := common.GetSecretFromVolume(access)
    50  	if err != nil {
    51  		return nil, fmt.Errorf("can not find access key, %w", err)
    52  	}
    53  	secretKey, err := common.GetSecretFromVolume(secret)
    54  	if err != nil {
    55  		return nil, fmt.Errorf("can not find secret key, %w", err)
    56  	}
    57  
    58  	var token string
    59  	if sessionToken != nil {
    60  		token, err = common.GetSecretFromVolume(sessionToken)
    61  		if err != nil {
    62  			return nil, fmt.Errorf("can not find session token, %w", err)
    63  		}
    64  	}
    65  
    66  	return credentials.NewStaticCredentialsFromCreds(credentials.Value{
    67  		AccessKeyID:     accessKey,
    68  		SecretAccessKey: secretKey,
    69  		SessionToken:    token,
    70  	}), nil
    71  }
    72  
    73  func GetAWSSession(creds *credentials.Credentials, region string) (*session.Session, error) {
    74  	return session.NewSession(&aws.Config{
    75  		Region:      &region,
    76  		Credentials: creds,
    77  	})
    78  }
    79  
    80  func GetAWSSessionWithoutCreds(region string) (*session.Session, error) {
    81  	return session.NewSession(&aws.Config{
    82  		Region: &region,
    83  	})
    84  }
    85  
    86  func GetAWSAssumeRoleCreds(roleARN, region string) (*session.Session, error) {
    87  	sess := session.Must(session.NewSession())
    88  	creds := stscreds.NewCredentials(sess, roleARN)
    89  	return GetAWSSession(creds, region)
    90  }
    91  
    92  // CreateAWSSessionWithCredsInEnv based on credentials in ENV, return a aws session
    93  func CreateAWSSessionWithCredsInEnv(region string, roleARN string, accessKey *corev1.SecretKeySelector, secretKey *corev1.SecretKeySelector) (*session.Session, error) {
    94  	if roleARN != "" {
    95  		return GetAWSAssumeRoleCreds(roleARN, region)
    96  	}
    97  
    98  	if accessKey == nil && secretKey == nil {
    99  		return GetAWSSessionWithoutCreds(region)
   100  	}
   101  
   102  	creds, err := GetAWSCredFromEnvironment(accessKey, secretKey)
   103  	if err != nil {
   104  		return nil, err
   105  	}
   106  
   107  	return GetAWSSession(creds, region)
   108  }
   109  
   110  // CreateAWSSessionWithCredsInVolume based on credentials in mounted volumes, return a aws session
   111  func CreateAWSSessionWithCredsInVolume(region string, roleARN string, accessKey *corev1.SecretKeySelector, secretKey *corev1.SecretKeySelector, sessionToken *corev1.SecretKeySelector) (*session.Session, error) {
   112  	if roleARN != "" {
   113  		return GetAWSAssumeRoleCreds(roleARN, region)
   114  	}
   115  
   116  	if accessKey == nil && secretKey == nil {
   117  		return GetAWSSessionWithoutCreds(region)
   118  	}
   119  
   120  	creds, err := GetAWSCredFromVolume(accessKey, secretKey, sessionToken)
   121  	if err != nil {
   122  		return nil, err
   123  	}
   124  
   125  	return GetAWSSession(creds, region)
   126  }