Set AWS environment variables to access AWS resources

wenqiq · wenqiq · commit c639998a383e · 2025-02-27T03:56:09.000+08:00
Signed-off-by: Wenqi Qiu &lt;wenqiq@vmware.com&gt;
diff --git a/ci/test-conformance-eks.sh b/ci/test-conformance-eks.sh
@@ -187,35 +187,21 @@ function setup_eks() {
     aws --version
 
     set +e
-    if [[ "$AWS_SERVICE_USER_ROLE_ARN" != "" ]] && [[ "$AWS_SERVICE_USER_NAME" != "" ]]; then
-        mkdir -p ~/.aws
-        cat > ~/.aws/config <<EOF
-[default]
-region = $REGION
-role_arn = $AWS_SERVICE_USER_ROLE_ARN
-source_profile = $AWS_SERVICE_USER_NAME
-output = json
-EOF
-        cat > ~/.aws/credentials <<EOF
-[$AWS_SERVICE_USER_NAME]
-aws_access_key_id = $AWS_ACCESS_KEY
-aws_secret_access_key = $AWS_SECRET_KEY
-EOF
-    elif [[ "$AWS_SERVICE_USER_ROLE_ARN" = "" ]] && [[ "$AWS_SERVICE_USER_NAME" = "" ]]; then
-        mkdir -p ~/.aws
-        cat > ~/.aws/config <<EOF
-[default]
-region = $REGION
-output = json
-EOF
-        cat > ~/.aws/credentials <<EOF
-[default]
-aws_access_key_id = $AWS_ACCESS_KEY
-aws_secret_access_key = $AWS_SECRET_KEY
-EOF
-    else
-        echo "Invalid input either specify both aws-service-user-role-arn and aws-service-user or none."
-        exit 1
+    export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY
+    export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_KEY
+
+    export AWS_DEFAULT_OUTPUT=json
+    export AWS_DEFAULT_REGION=$REGION
+    if [[ "$AWS_SERVICE_USER_ROLE_ARN" != "" ]]; then
+        TEMP_CRED=$(aws sts assume-role \
+          --role-arn "$AWS_SERVICE_USER_ROLE_ARN" \
+          --role-session-name "cli-session" \
+          --query "Credentials" \
+          --output json)
+
+        export AWS_ACCESS_KEY_ID=$(echo "$TEMP_CRED" | jq -r .AccessKeyId)
+        export AWS_SECRET_ACCESS_KEY=$(echo "$TEMP_CRED" | jq -r .SecretAccessKey)
+        export AWS_SESSION_TOKEN=$(echo "$TEMP_CRED" | jq -r .SessionToken)
     fi
 
     if [[ "$INSTALL_EKSCTL" == true ]]; then
diff --git a/ci/test-sriov-secondary-network-aws.sh b/ci/test-sriov-secondary-network-aws.sh
@@ -35,7 +35,7 @@ SUBNET_CIDR_RES_ID="${SUBNET_CIDR_RES_ID:-}"
 _usage="Usage: $0 [--aws-access-key <AccessKey>] [--aws-secret-key <SecretKey>] \
                   [--aws-security-group-id <SecurityGroupID>] [--aws-subnet-id <SubnetID>] \
                   [--aws-ec2-ssh-key-name <SSHKeyName>]
-                  [--aws-service-user-role-arn <ServiceUserRoleARN>]  [--aws-service-user <ServiceUserName>] \
+                  [--aws-service-user-role-arn <ServiceUserRoleARN>] \
                   [--aws-region <Region>] [--k8s-version <ClusterVersion>]
 
 Setup a Kubernetes cluster and test SR-IOV secondary network in AWS.
@@ -46,7 +46,6 @@ Setup a Kubernetes cluster and test SR-IOV secondary network in AWS.
         --aws-subnet-id               The subnet in which the ec2 instance network interface is located.
         --aws-ec2-ssh-key-name        The key name to be used for ssh access to ec2 instances.
         --aws-service-user-role-arn   AWS Service User Role ARN for logging in to awscli.
-        --aws-service-user            AWS Service User Name for logging in to awscli.
         --aws-region                  The AWS region where the cluster will be initiated. Defaults to $REGION.
         --setup-only                  Only perform setting up the cluster and run test.
         --cleanup-only                Only perform cleaning up the cluster.
@@ -89,10 +88,6 @@ case $key in
     AWS_SERVICE_USER_ROLE_ARN="$2"
     shift 2
     ;;
-    --aws-service-user)
-    AWS_SERVICE_USER_NAME="$2"
-    shift 2
-    ;;
     --aws-region)
     REGION="$2"
     shift 2
@@ -122,19 +117,19 @@ case $key in
 esac
 done
 
-mkdir -p ~/.aws
-cat > ~/.aws/config <<EOF
-[default]
-region = $REGION
-role_arn = $AWS_SERVICE_USER_ROLE_ARN
-source_profile = $AWS_SERVICE_USER_NAME
-output = json
-EOF
-cat > ~/.aws/credentials <<EOF
-[$AWS_SERVICE_USER_NAME]
-aws_access_key_id = $AWS_ACCESS_KEY
-aws_secret_access_key = $AWS_SECRET_KEY
-EOF
+export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY
+export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_KEY
+export AWS_DEFAULT_REGION=$REGION
+
+TEMP_CRED=$(aws sts assume-role \
+  --role-arn "$AWS_SERVICE_USER_ROLE_ARN" \
+  --role-session-name "cli-session" \
+  --query "Credentials" \
+  --output json)
+
+export AWS_ACCESS_KEY_ID=$(echo "$TEMP_CRED" | jq -r .AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo "$TEMP_CRED" | jq -r .SecretAccessKey)
+export AWS_SESSION_TOKEN=$(echo "$TEMP_CRED" | jq -r .SessionToken)
 
 THIS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
 ANTREA_CHART="$THIS_DIR/../build/charts/antrea"
