From d67b14e47982feb808390cd996c005a241c32486 Mon Sep 17 00:00:00 2001 From: Thuan Vo Date: Tue, 27 Jan 2026 11:06:29 -0800 Subject: [PATCH] CORS-4055: migrate credential provider check to AWS SDK v2 This commit is an incremental step to migrate AWS API calls to AWS SDK v2. This focuses on handlers that retrieve the source or provider of credentials, for example, via shared credential file and via environment variables. Note: these logics are to determine whether the credential provider is static, which is safe to transfer to the cluster as-is in Mint and Passthrough credentialsMode. --- pkg/asset/installconfig/aws/session.go | 14 ------------- pkg/asset/installconfig/aws/sessionv2.go | 25 ++++++++++++++++++++---- pkg/asset/manifests/openshift.go | 14 ++++++++----- 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/pkg/asset/installconfig/aws/session.go b/pkg/asset/installconfig/aws/session.go index 39d52f2957e..7eea8283ede 100644 --- a/pkg/asset/installconfig/aws/session.go +++ b/pkg/asset/installconfig/aws/session.go @@ -5,7 +5,6 @@ import ( "fmt" "os" "path/filepath" - "strings" "sync" survey "github.com/AlecAivazis/survey/v2" @@ -139,19 +138,6 @@ func getCredentialsFromSession(options session.Options) (*credentials.Credential return creds, nil } -// IsStaticCredentials returns whether the credentials value provider are -// static credentials safe for installer to transfer to cluster for use as-is. -func IsStaticCredentials(credsValue credentials.Value) bool { - switch credsValue.ProviderName { - case credentials.EnvProviderName, credentials.StaticProviderName, credentials.SharedCredsProviderName, session.EnvProviderName: - return credsValue.SessionToken == "" - } - if strings.HasPrefix(credsValue.ProviderName, "SharedConfigCredentials") { - return credsValue.SessionToken == "" - } - return false -} - // errCodeEquals returns true if the error matches all these conditions: // - err is of type awserr.Error // - Error.Code() equals code diff --git a/pkg/asset/installconfig/aws/sessionv2.go b/pkg/asset/installconfig/aws/sessionv2.go index 85da0afda88..4770aab7a1d 100644 --- a/pkg/asset/installconfig/aws/sessionv2.go +++ b/pkg/asset/installconfig/aws/sessionv2.go @@ -5,6 +5,7 @@ import ( "fmt" "os" "path/filepath" + "strings" "sync" "time" @@ -35,6 +36,12 @@ const ( // RetryBackoffDuration is max duration between retried attempts. RetryBackoffDuration = 300 * time.Second + + // SharedCredsProviderName defines the source name of AWS credentials + // from a shared credential file. + // Note: The SDK does not expose any constants for this value so + // we define one here as a replacement. + SharedCredsProviderName = "SharedConfigCredentials" //nolint:gosec ) var ( @@ -126,11 +133,21 @@ func getCredentialsV2(ctx context.Context, options ConfigOptions) (aws.Credentia return creds, nil } -// IsStaticCredentialsV2 returns whether the credentials value provider are +// IsStaticCredentials returns whether the credentials value provider are // static credentials safe for installer to transfer to cluster for use as-is. -// TODO: Remove suffix V2 when completing migration aws sdk v2 (i.e. removing session.go). -func IsStaticCredentialsV2(creds aws.Credentials) bool { - if creds.Source == credentials.StaticCredentialsName { +// Reference: https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials +func IsStaticCredentials(creds aws.Credentials) bool { + switch creds.Source { + case + credentials.StaticCredentialsName, // Credentials explicitly created via credentials.NewStaticCredentialsProvider() + config.CredentialsSourceName: // Credentials loaded from environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) - "EnvConfigCredentials" + return creds.SessionToken == "" + } + + // Credentials loaded from ~/.aws/credentials or AWS_SHARED_CREDENTIALS_FILE + // When using shared credential file, the AWS SDK defines its credential source as "SharedConfigCredentials: FILENAME" + // Reference: https://github.com/aws/aws-sdk-go-v2/blob/de58dc6cdc4c35ac4687d53cff781a6027a0f52f/config/shared_config.go#L1173 + if strings.HasPrefix(creds.Source, SharedCredsProviderName) { return creds.SessionToken == "" } return false diff --git a/pkg/asset/manifests/openshift.go b/pkg/asset/manifests/openshift.go index bf6a28ce1f4..0f5771998c6 100644 --- a/pkg/asset/manifests/openshift.go +++ b/pkg/asset/manifests/openshift.go @@ -3,12 +3,14 @@ package manifests import ( "context" "encoding/base64" + "fmt" "os" "path" "path/filepath" "strconv" "strings" + "github.com/aws/aws-sdk-go-v2/config" "github.com/gophercloud/utils/v2/openstack/clientconfig" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -91,20 +93,22 @@ func (o *Openshift) Generate(ctx context.Context, dependencies asset.Parents) er platform := installConfig.Config.Platform.Name() switch platform { case awstypes.Name: - ssn, err := installConfig.AWS.Session(ctx) + awsconfig, err := installconfigaws.GetConfigWithOptions(ctx, config.WithRegion(installConfig.AWS.Region)) if err != nil { return err } - creds, err := ssn.Config.Credentials.Get() + + creds, err := awsconfig.Credentials.Retrieve(ctx) if err != nil { - return err + return fmt.Errorf("failed to retrieve aws credentials: %w", err) } + if !installconfigaws.IsStaticCredentials(creds) { switch { case installConfig.Config.CredentialsMode == "": - return errors.Errorf("AWS credentials provided by %s are not valid for default credentials mode", creds.ProviderName) + return errors.Errorf("AWS credentials provided by %s are not valid for default credentials mode", creds.Source) case installConfig.Config.CredentialsMode != types.ManualCredentialsMode: - return errors.Errorf("AWS credentials provided by %s are not valid for %s credentials mode", creds.ProviderName, installConfig.Config.CredentialsMode) + return errors.Errorf("AWS credentials provided by %s are not valid for %s credentials mode", creds.Source, installConfig.Config.CredentialsMode) } } cloudCreds = cloudCredsSecretData{