Merge pull request #153 from mdreem/allowRoleAssumption

Allow role assumption
concourse · Feb 1, 2022 · 80c54bd · 80c54bd
2 parents 5298d59 + 746c018
commit 80c54bd
Show file tree

Hide file tree

Showing 13 changed files with 72 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,9 @@ version numbers.
 * `session_token`: *Optional.* The AWS STS session token to use when
   accessing the bucket.
 
+* `aws_role_arn`: *Optional.* The AWS role ARN to be assumed by the user
+  identified by `access_key_id` and `secret_access_key`.
+
 * `region_name`: *Optional.* The region the bucket is in. Defaults to
   `us-east-1`.
 
@@ -252,6 +255,12 @@ docker build . -t s3-resource --target tests -f dockerfiles/ubuntu/Dockerfile \
   --build-arg S3_ENDPOINT="https://s3.amazonaws.com"
 ```
 
+##### Integration tests using role assumption
+
+If `S3_TESTING_AWS_ROLE_ARN` is set to a role ARN, this role will be assumed for accessing
+the S3 bucket during integration tests. The whole integration test suite runs either
+completely using role assumption or completely by direct access via the credentials.
+
 ##### Required IAM permissions
 
 In addition to the required permissions above, the `s3:PutObjectTagging` permission is required to run integration tests.

diff --git a/cmd/check/main.go b/cmd/check/main.go
@@ -26,6 +26,7 @@ func main() {
 		os.Stderr,
 		awsConfig,
 		request.Source.UseV2Signing,
+		request.Source.AwsRoleARN,
 	)
 
 	command := check.NewCommand(client)

diff --git a/cmd/in/main.go b/cmd/in/main.go
@@ -54,6 +54,7 @@ func main() {
 		os.Stderr,
 		awsConfig,
 		request.Source.UseV2Signing,
+		request.Source.AwsRoleARN,
 	)
 
 	command := in.NewCommand(client)

diff --git a/cmd/out/main.go b/cmd/out/main.go
@@ -33,6 +33,7 @@ func main() {
 		os.Stderr,
 		awsConfig,
 		request.Source.UseV2Signing,
+		request.Source.AwsRoleARN,
 	)
 
 	command := out.NewCommand(os.Stderr, client)

diff --git a/dockerfiles/alpine/Dockerfile b/dockerfiles/alpine/Dockerfile
@@ -23,6 +23,7 @@ FROM resource AS tests
 ARG S3_TESTING_ACCESS_KEY_ID
 ARG S3_TESTING_SECRET_ACCESS_KEY
 ARG S3_TESTING_SESSION_TOKEN
+ARG S3_TESTING_AWS_ROLE_ARN
 ARG S3_VERSIONED_TESTING_BUCKET
 ARG S3_TESTING_BUCKET
 ARG S3_TESTING_REGION

diff --git a/dockerfiles/ubuntu/Dockerfile b/dockerfiles/ubuntu/Dockerfile
@@ -29,6 +29,7 @@ FROM resource AS tests
 ARG S3_TESTING_ACCESS_KEY_ID
 ARG S3_TESTING_SECRET_ACCESS_KEY
 ARG S3_TESTING_SESSION_TOKEN
+ARG S3_TESTING_AWS_ROLE_ARN
 ARG S3_VERSIONED_TESTING_BUCKET
 ARG S3_TESTING_BUCKET
 ARG S3_TESTING_REGION

diff --git a/in/command_test.go b/in/command_test.go
@@ -79,7 +79,7 @@ var _ = Describe("In Command", func() {
 			})
 		})
 
-		Context("when configured globaly to skip download", func() {
+		Context("when configured globally to skip download", func() {
 			BeforeEach(func() {
 				request.Source.SkipDownload = true
 			})
@@ -91,7 +91,7 @@ var _ = Describe("In Command", func() {
 			})
 		})
 
-		Context("when configured localy to skip download", func() {
+		Context("when configured locally to skip download", func() {
 			BeforeEach(func() {
 				request.Params.SkipDownload = "true"
 			})
@@ -103,7 +103,7 @@ var _ = Describe("In Command", func() {
 			})
 		})
 
-		Context("when override localy to not skip download", func() {
+		Context("when override locally to not skip download", func() {
 			BeforeEach(func() {
 				request.Source.SkipDownload = true
 				request.Params.SkipDownload = "false"

diff --git a/integration/check_test.go b/integration/check_test.go
@@ -52,6 +52,7 @@ var _ = Describe("check", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          versionedBucketName,
 					RegionName:      regionName,
 					Regexp:          "some-regex",
@@ -83,6 +84,7 @@ var _ = Describe("check", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          bucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,
@@ -178,6 +180,7 @@ var _ = Describe("check", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          versionedBucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,
@@ -321,6 +324,7 @@ var _ = Describe("check", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          bucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,
@@ -484,6 +488,7 @@ var _ = Describe("check", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          versionedBucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,

diff --git a/integration/in_test.go b/integration/in_test.go
@@ -65,6 +65,7 @@ var _ = Describe("in", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          versionedBucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -92,6 +93,7 @@ var _ = Describe("in", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          bucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -215,6 +217,7 @@ var _ = Describe("in", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          versionedBucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -346,6 +349,7 @@ var _ = Describe("in", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					CloudfrontURL:   os.Getenv("S3_TESTING_CLOUDFRONT_URL"),
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -421,6 +425,7 @@ var _ = Describe("in", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					CloudfrontURL:   "https://no-dots-here",
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -452,6 +457,7 @@ var _ = Describe("in", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          bucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,

diff --git a/integration/integration_suite_test.go b/integration/integration_suite_test.go
@@ -2,6 +2,7 @@ package integration_test
 
 import (
 	"encoding/json"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"io/ioutil"
 	"os"
 
@@ -24,6 +25,7 @@ func TestIntegration(t *testing.T) {
 var accessKeyID = os.Getenv("S3_TESTING_ACCESS_KEY_ID")
 var secretAccessKey = os.Getenv("S3_TESTING_SECRET_ACCESS_KEY")
 var sessionToken = os.Getenv("S3_TESTING_SESSION_TOKEN")
+var awsRoleARN = os.Getenv("S3_TESTING_AWS_ROLE_ARN")
 var versionedBucketName = os.Getenv("S3_VERSIONED_TESTING_BUCKET")
 var bucketName = os.Getenv("S3_TESTING_BUCKET")
 var regionName = os.Getenv("S3_TESTING_REGION")
@@ -82,7 +84,7 @@ func getSessionTokenS3Client(awsConfig *aws.Config) (*s3.S3, s3resource.S3Client
 		false,
 	)
 	s3Service := s3.New(session.New(newAwsConfig), newAwsConfig)
-	s3client := s3resource.NewS3Client(ioutil.Discard, newAwsConfig, v2signing == "true")
+	s3client := s3resource.NewS3Client(ioutil.Discard, newAwsConfig, v2signing == "true", awsRoleARN)
 
 	return s3Service, s3client
 }
@@ -128,9 +130,18 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 			false,
 		)
 
-		s3Service = s3.New(session.New(awsConfig), awsConfig)
+		additionalAwsConfig := aws.Config{}
+		if len(awsRoleARN) != 0 {
+			stsConfig := awsConfig.Copy()
+			stsConfig.Endpoint = nil
+			stsSession := session.Must(session.NewSession(stsConfig))
+			roleCredentials := stscreds.NewCredentials(stsSession, awsRoleARN)
 
-		s3client = s3resource.NewS3Client(ioutil.Discard, awsConfig, v2signing == "true")
+			additionalAwsConfig.Credentials = roleCredentials
+		}
+
+		s3Service = s3.New(session.New(awsConfig), awsConfig, &additionalAwsConfig)
+		s3client = s3resource.NewS3Client(ioutil.Discard, awsConfig, v2signing == "true", awsRoleARN)
 	}
 })
 

diff --git a/integration/out_test.go b/integration/out_test.go
@@ -66,6 +66,7 @@ var _ = Describe("out", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          versionedBucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -94,6 +95,7 @@ var _ = Describe("out", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          bucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -137,6 +139,7 @@ var _ = Describe("out", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          bucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -178,6 +181,7 @@ var _ = Describe("out", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					SessionToken:    sessionToken,
+					AwsRoleARN:      awsRoleARN,
 					Bucket:          bucketName,
 					RegionName:      regionName,
 					Endpoint:        endpoint,
@@ -224,6 +228,7 @@ var _ = Describe("out", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          bucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,
@@ -309,6 +314,7 @@ var _ = Describe("out", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          bucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,
@@ -346,6 +352,7 @@ var _ = Describe("out", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          bucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,
@@ -400,6 +407,7 @@ var _ = Describe("out", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          bucketName,
 						RegionName:      regionName,
 						VersionedFile:   filepath.Join(directoryPrefix, "file-to-upload"),
@@ -450,6 +458,7 @@ var _ = Describe("out", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          versionedBucketName,
 						RegionName:      regionName,
 						VersionedFile:   filepath.Join(directoryPrefix, "file-to-upload"),
@@ -508,6 +517,7 @@ var _ = Describe("out", func() {
 						AccessKeyID:     accessKeyID,
 						SecretAccessKey: secretAccessKey,
 						SessionToken:    sessionToken,
+						AwsRoleARN:      awsRoleARN,
 						Bucket:          versionedBucketName,
 						RegionName:      regionName,
 						Endpoint:        endpoint,

diff --git a/models.go b/models.go
@@ -4,6 +4,7 @@ type Source struct {
 	AccessKeyID          string `json:"access_key_id"`
 	SecretAccessKey      string `json:"secret_access_key"`
 	SessionToken         string `json:"session_token"`
+	AwsRoleARN           string `json:"aws_role_arn"`
 	Bucket               string `json:"bucket"`
 	Regexp               string `json:"regexp"`
 	VersionedFile        string `json:"versioned_file"`

diff --git a/s3client.go b/s3client.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"io"
 	"io/ioutil"
 	"os"
@@ -68,9 +69,13 @@ func NewS3Client(
 	progressOutput io.Writer,
 	awsConfig *aws.Config,
 	useV2Signing bool,
+	roleToAssume string,
 ) S3Client {
 	sess := session.New(awsConfig)
-	client := s3.New(sess, awsConfig)
+
+	assumedRoleAwsConfig := fetchCredentialsForRoleIfDefined(roleToAssume, awsConfig)
+
+	client := s3.New(sess, awsConfig, &assumedRoleAwsConfig)
 
 	if useV2Signing {
 		setv2Handlers(client)
@@ -84,6 +89,19 @@ func NewS3Client(
 	}
 }
 
+func fetchCredentialsForRoleIfDefined(roleToAssume string, awsConfig *aws.Config) aws.Config {
+	assumedRoleAwsConfig := aws.Config{}
+	if len(roleToAssume) != 0 {
+		stsConfig := awsConfig.Copy()
+		stsConfig.Endpoint = nil
+		stsSession := session.Must(session.NewSession(stsConfig))
+		roleCredentials := stscreds.NewCredentials(stsSession, roleToAssume)
+
+		assumedRoleAwsConfig.Credentials = roleCredentials
+	}
+	return assumedRoleAwsConfig
+}
+
 func NewAwsConfig(
 	accessKey string,
 	secretKey string,