mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-14 02:10:21 +00:00
4f0bb2315b
With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com>
128 lines
4.4 KiB
Go
128 lines
4.4 KiB
Go
package aws
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/internal/sdk"
|
|
)
|
|
|
|
// AnonymousCredentials provides a sentinel CredentialsProvider that should be
|
|
// used to instruct the SDK's signing middleware to not sign the request.
|
|
//
|
|
// Using `nil` credentials when configuring an API client will achieve the same
|
|
// result. The AnonymousCredentials type allows you to configure the SDK's
|
|
// external config loading to not attempt to source credentials from the shared
|
|
// config or environment.
|
|
//
|
|
// For example you can use this CredentialsProvider with an API client's
|
|
// Options to instruct the client not to sign a request for accessing public
|
|
// S3 bucket objects.
|
|
//
|
|
// The following example demonstrates using the AnonymousCredentials to prevent
|
|
// SDK's external config loading attempt to resolve credentials.
|
|
//
|
|
// cfg, err := config.LoadDefaultConfig(context.TODO(),
|
|
// config.WithCredentialsProvider(aws.AnonymousCredentials{}),
|
|
// )
|
|
// if err != nil {
|
|
// log.Fatalf("failed to load config, %v", err)
|
|
// }
|
|
//
|
|
// client := s3.NewFromConfig(cfg)
|
|
//
|
|
// Alternatively you can leave the API client Option's `Credential` member to
|
|
// nil. If using the `NewFromConfig` constructor you'll need to explicitly set
|
|
// the `Credentials` member to nil, if the external config resolved a
|
|
// credential provider.
|
|
//
|
|
// client := s3.New(s3.Options{
|
|
// // Credentials defaults to a nil value.
|
|
// })
|
|
//
|
|
// This can also be configured for specific operations calls too.
|
|
//
|
|
// cfg, err := config.LoadDefaultConfig(context.TODO())
|
|
// if err != nil {
|
|
// log.Fatalf("failed to load config, %v", err)
|
|
// }
|
|
//
|
|
// client := s3.NewFromConfig(config)
|
|
//
|
|
// result, err := client.GetObject(context.TODO(), s3.GetObject{
|
|
// Bucket: aws.String("example-bucket"),
|
|
// Key: aws.String("example-key"),
|
|
// }, func(o *s3.Options) {
|
|
// o.Credentials = nil
|
|
// // Or
|
|
// o.Credentials = aws.AnonymousCredentials{}
|
|
// })
|
|
type AnonymousCredentials struct{}
|
|
|
|
// Retrieve implements the CredentialsProvider interface, but will always
|
|
// return error, and cannot be used to sign a request. The AnonymousCredentials
|
|
// type is used as a sentinel type instructing the AWS request signing
|
|
// middleware to not sign a request.
|
|
func (AnonymousCredentials) Retrieve(context.Context) (Credentials, error) {
|
|
return Credentials{Source: "AnonymousCredentials"},
|
|
fmt.Errorf("the AnonymousCredentials is not a valid credential provider, and cannot be used to sign AWS requests with")
|
|
}
|
|
|
|
// A Credentials is the AWS credentials value for individual credential fields.
|
|
type Credentials struct {
|
|
// AWS Access key ID
|
|
AccessKeyID string
|
|
|
|
// AWS Secret Access Key
|
|
SecretAccessKey string
|
|
|
|
// AWS Session Token
|
|
SessionToken string
|
|
|
|
// Source of the credentials
|
|
Source string
|
|
|
|
// Time the credentials will expire.
|
|
CanExpire bool
|
|
Expires time.Time
|
|
}
|
|
|
|
// Expired returns if the credentials have expired.
|
|
func (v Credentials) Expired() bool {
|
|
if v.CanExpire {
|
|
// Calling Round(0) on the current time will truncate the monotonic reading only. Ensures credential expiry
|
|
// time is always based on reported wall-clock time.
|
|
return !v.Expires.After(sdk.NowTime().Round(0))
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// HasKeys returns if the credentials keys are set.
|
|
func (v Credentials) HasKeys() bool {
|
|
return len(v.AccessKeyID) > 0 && len(v.SecretAccessKey) > 0
|
|
}
|
|
|
|
// A CredentialsProvider is the interface for any component which will provide
|
|
// credentials Credentials. A CredentialsProvider is required to manage its own
|
|
// Expired state, and what to be expired means.
|
|
//
|
|
// A credentials provider implementation can be wrapped with a CredentialCache
|
|
// to cache the credential value retrieved. Without the cache the SDK will
|
|
// attempt to retrieve the credentials for every request.
|
|
type CredentialsProvider interface {
|
|
// Retrieve returns nil if it successfully retrieved the value.
|
|
// Error is returned if the value were not obtainable, or empty.
|
|
Retrieve(ctx context.Context) (Credentials, error)
|
|
}
|
|
|
|
// CredentialsProviderFunc provides a helper wrapping a function value to
|
|
// satisfy the CredentialsProvider interface.
|
|
type CredentialsProviderFunc func(context.Context) (Credentials, error)
|
|
|
|
// Retrieve delegates to the function value the CredentialsProviderFunc wraps.
|
|
func (fn CredentialsProviderFunc) Retrieve(ctx context.Context) (Credentials, error) {
|
|
return fn(ctx)
|
|
}
|