Skip to content

Commit

Permalink
Allow using instance IAM roles
Browse files Browse the repository at this point in the history
Concourse do not allow using instance IAM roles because it conflicts
with their multi-tenancy designs[1]. Multiple "teams" can use the same
instance, and using IAM instance roles means that this could be
considered insecure.

This is not applicable to our use case, so we are fine to use it. This
removes the requirement to pass in access keys and just assume we want
to use instance roles instead.

[1] concourse/concourse#3023
  • Loading branch information
surminus committed Jul 21, 2022
1 parent 1e90288 commit c91a54f
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 22 deletions.
2 changes: 1 addition & 1 deletion commands/check.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func (c *Check) Execute() error {
return fmt.Errorf("invalid payload: %s", err)
}

if req.Source.AwsAccessKeyId != "" && req.Source.AwsSecretAccessKey != "" && req.Source.AwsRegion != "" {
if req.Source.AwsRegion != "" {
if !req.Source.AuthenticateToECR() {
return fmt.Errorf("cannot authenticate with ECR")
}
Expand Down
2 changes: 1 addition & 1 deletion commands/in.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func (i *In) Execute() error {

dest := i.args[1]

if req.Source.AwsAccessKeyId != "" && req.Source.AwsSecretAccessKey != "" && req.Source.AwsRegion != "" {
if req.Source.AwsRegion != "" {
if !req.Source.AuthenticateToECR() {
return fmt.Errorf("cannot authenticate with ECR")
}
Expand Down
2 changes: 1 addition & 1 deletion commands/out.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ func (o *Out) Execute() error {

src := o.args[1]

if req.Source.AwsAccessKeyId != "" && req.Source.AwsSecretAccessKey != "" && req.Source.AwsRegion != "" {
if req.Source.AwsRegion != "" {
if !req.Source.AuthenticateToECR() {
return fmt.Errorf("cannot authenticate with ECR")
}
Expand Down
23 changes: 11 additions & 12 deletions types.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import (
"strings"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ecr"
Expand Down Expand Up @@ -55,13 +54,10 @@ type OutResponse struct {
}

type AwsCredentials struct {
AwsAccessKeyId string `json:"aws_access_key_id,omitempty"`
AwsSecretAccessKey string `json:"aws_secret_access_key,omitempty"`
AwsSessionToken string `json:"aws_session_token,omitempty"`
AwsRegion string `json:"aws_region,omitempty"`
AWSECRRegistryId string `json:"aws_ecr_registry_id,omitempty"`
AwsRoleArn string `json:"aws_role_arn,omitempty"`
AwsRoleArns []string `json:"aws_role_arns,omitempty"`
AwsRegion string `json:"aws_region,omitempty"`
AWSECRRegistryId string `json:"aws_ecr_registry_id,omitempty"`
AwsRoleArn string `json:"aws_role_arn,omitempty"`
AwsRoleArns []string `json:"aws_role_arns,omitempty"`
}

type BasicCredentials struct {
Expand Down Expand Up @@ -307,10 +303,13 @@ func (source *Source) AuthenticateToECR() bool {
return false
}

mySession := session.Must(session.NewSession(&aws.Config{
Region: aws.String(source.AwsRegion),
Credentials: credentials.NewStaticCredentials(source.AwsAccessKeyId, source.AwsSecretAccessKey, source.AwsSessionToken),
}))
mySession, err := session.NewSession(&aws.Config{
Region: aws.String(source.AwsRegion),
})
if err != nil {
logrus.Errorf("failed to authenticate with AWS: %s", err)
return false
}

// Note: This implementation gives precedence to `aws_role_arn` since it
// assumes that we've errored if both `aws_role_arn` and `aws_role_arns`
Expand Down
10 changes: 3 additions & 7 deletions types_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,7 @@ var _ = Describe("Source", func() {
source := resource.Source{
Repository: "foo",
AwsCredentials: resource.AwsCredentials{
AwsAccessKeyId: "foo",
AwsSecretAccessKey: "bar",
AwsRegion: "us-east-1",
AwsRegion: "us-east-1",
},
}

Expand All @@ -69,10 +67,8 @@ var _ = Describe("Source", func() {
source := resource.Source{
Repository: "foo",
AwsCredentials: resource.AwsCredentials{
AwsAccessKeyId: "foo",
AwsSecretAccessKey: "bar",
AwsRegion: "us-east-1",
AWSECRRegistryId: "012345678901",
AwsRegion: "us-east-1",
AWSECRRegistryId: "012345678901",
},
}

Expand Down

0 comments on commit c91a54f

Please sign in to comment.