-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathprovider_aws.go
More file actions
83 lines (70 loc) · 2.67 KB
/
provider_aws.go
File metadata and controls
83 lines (70 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
// Package main provides AWS credential provider implementations.
package main
import (
"context"
"errors"
"fmt"
"os"
"strconv"
"github.com/aws/aws-sdk-go-v2/aws"
)
// ecrContext retrieves AWS credentials from environment variables
// that are suffixed with a specific AWS account ID.
//
// For example, if AccountID is "123456789012",,
// it will look for environment variables like:
// - AWS_ACCESS_KEY_ID_123456789012
// - AWS_SECRET_ACCESS_KEY_123456789012
// - AWS_SESSION_TOKEN_123456789012 (optional).
type ecrContext struct {
AccountID string
Region string
}
// HasAccountSuffixedCredentials checks if account-specific environment variables exist.
// Returns true if `_ACCOUNT_ID`-suffixed AWS credential environment variables are found.
func (p *ecrContext) HasAccountSuffixedCredentials() bool {
if p.AccountID == "" {
return false
}
suffix := "_" + p.AccountID
// Check for any suffixed environment variables
_, hasAccessKey := os.LookupEnv(envAwsAccessKeyID + suffix)
_, hasSecretKey := os.LookupEnv(envAwsSecretAccessKey + suffix)
return hasAccessKey && hasSecretKey
}
// Retrieve fetches AWS credentials from account-specific environment variables.
// This method implements the aws.CredentialsProvider interface.
func (p *ecrContext) Retrieve(_ context.Context) (out aws.Credentials, err error) {
if p.AccountID == "" {
return aws.Credentials{}, errors.New("ecrContext: AccountID must be set")
}
defer func() {
// Diagnostic output
if out.Source != "" {
if b, err := strconv.ParseBool(os.Getenv(envDebugMode)); err == nil && b {
_, _ = fmt.Fprintf(os.Stderr, "Authenticating access to '%s.dkr.ecr.%s.amazonaws.com' with %q\n", p.AccountID, p.Region, out.Source)
}
}
}()
// Construct the suffix for the environment variables.
suffix := "_" + p.AccountID
// Check for suffixed environment variables
accessKeyID := os.Getenv(envAwsAccessKeyID + suffix)
secretAccessKey := os.Getenv(envAwsSecretAccessKey + suffix)
sessionToken := os.Getenv(envAwsSessionToken + suffix)
// If using suffixed credentials, both the access-key and secret key must be present
if accessKeyID == "" {
return aws.Credentials{}, fmt.Errorf("ecrContext: environment variable %s not found", envAwsAccessKeyID+suffix)
}
if secretAccessKey == "" {
return aws.Credentials{}, fmt.Errorf("ecrContext: environment variable %s not found", envAwsSecretAccessKey+suffix)
}
// Use only the suffixed credentials
out = aws.Credentials{
AccessKeyID: accessKeyID,
SecretAccessKey: secretAccessKey,
SessionToken: sessionToken, // Session token is optional, can be empty
Source: fmt.Sprintf("Suffixed AWS Environment (Account: %s)", p.AccountID),
}
return out, nil
}