From 79c9ac1f01e9006f9f8bb85b8153638e147d0b92 Mon Sep 17 00:00:00 2001 From: Seth Jennings Date: Wed, 11 Aug 2021 16:17:47 -0500 Subject: [PATCH] legacy-cloud-providers: aws: Add support for consuming web identity credentials --- .../k8s.io/legacy-cloud-providers/aws/aws.go | 58 +++++++++++-------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go b/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go index 0ba278fcefe..d21e2cd7d44 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go +++ b/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go @@ -35,7 +35,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/endpoints" @@ -821,8 +820,11 @@ func (p *awsSDKProvider) Compute(regionName string) (EC2, error) { } awsConfig = awsConfig.WithCredentialsChainVerboseErrors(true). WithEndpointResolver(p.cfg.getResolver()) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *awsConfig, + SharedConfigState: session.SharedConfigEnable, + }) - sess, err := session.NewSession(awsConfig) if err != nil { return nil, fmt.Errorf("unable to initialize AWS session: %v", err) } @@ -843,8 +845,10 @@ func (p *awsSDKProvider) LoadBalancing(regionName string) (ELB, error) { } awsConfig = awsConfig.WithCredentialsChainVerboseErrors(true). WithEndpointResolver(p.cfg.getResolver()) - - sess, err := session.NewSession(awsConfig) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *awsConfig, + SharedConfigState: session.SharedConfigEnable, + }) if err != nil { return nil, fmt.Errorf("unable to initialize AWS session: %v", err) } @@ -861,8 +865,10 @@ func (p *awsSDKProvider) LoadBalancingV2(regionName string) (ELBV2, error) { } awsConfig = awsConfig.WithCredentialsChainVerboseErrors(true). WithEndpointResolver(p.cfg.getResolver()) - - sess, err := session.NewSession(awsConfig) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *awsConfig, + SharedConfigState: session.SharedConfigEnable, + }) if err != nil { return nil, fmt.Errorf("unable to initialize AWS session: %v", err) } @@ -880,8 +886,10 @@ func (p *awsSDKProvider) Autoscaling(regionName string) (ASG, error) { } awsConfig = awsConfig.WithCredentialsChainVerboseErrors(true). WithEndpointResolver(p.cfg.getResolver()) - - sess, err := session.NewSession(awsConfig) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *awsConfig, + SharedConfigState: session.SharedConfigEnable, + }) if err != nil { return nil, fmt.Errorf("unable to initialize AWS session: %v", err) } @@ -911,8 +919,10 @@ func (p *awsSDKProvider) KeyManagement(regionName string) (KMS, error) { } awsConfig = awsConfig.WithCredentialsChainVerboseErrors(true). WithEndpointResolver(p.cfg.getResolver()) - - sess, err := session.NewSession(awsConfig) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: *awsConfig, + SharedConfigState: session.SharedConfigEnable, + }) if err != nil { return nil, fmt.Errorf("unable to initialize AWS session: %v", err) } @@ -1170,30 +1180,28 @@ func init() { return nil, fmt.Errorf("unable to validate custom endpoint overrides: %v", err) } - sess, err := session.NewSession(&aws.Config{}) + sess, err := session.NewSessionWithOptions(session.Options{ + Config: aws.Config{}, + SharedConfigState: session.SharedConfigEnable, + }) if err != nil { return nil, fmt.Errorf("unable to initialize AWS session: %v", err) } - var provider credentials.Provider - if cfg.Global.RoleARN == "" { - provider = &ec2rolecreds.EC2RoleProvider{ - Client: ec2metadata.New(sess), - } - } else { + var creds *credentials.Credentials + if cfg.Global.RoleARN != "" { klog.Infof("Using AWS assumed role %v", cfg.Global.RoleARN) - provider = &stscreds.AssumeRoleProvider{ + provider := &stscreds.AssumeRoleProvider{ Client: sts.New(sess), RoleARN: cfg.Global.RoleARN, } - } - creds := credentials.NewChainCredentials( - []credentials.Provider{ - &credentials.EnvProvider{}, - provider, - &credentials.SharedCredentialsProvider{}, - }) + creds = credentials.NewChainCredentials( + []credentials.Provider{ + &credentials.EnvProvider{}, + provider, + }) + } aws := newAWSSDKProvider(creds, cfg) return newAWSCloud(*cfg, aws)