Skip to content

Commit

Permalink
aws: credentials: Add support for EKS_POD_EXECUTION_ROLE
Browse files Browse the repository at this point in the history 
Signed-off-by: Wesley Pettit <[email protected]>
  • Loading branch information
@PettitWesley
PettitWesley committed Nov 16, 2020
1 parent 92d43a1 commit e1a0859
Showing 1 changed file with 81 additions and 5 deletions.
86 changes: 81 additions & 5 deletions src/aws/flb_aws_credentials.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,20 @@
#define AWS_SECRET_ACCESS_KEY "AWS_SECRET_ACCESS_KEY"
#define AWS_SESSION_TOKEN "AWS_SESSION_TOKEN"

#define EKS_POD_EXECUTION_ROLE "EKS_POD_EXECUTION_ROLE"

/* declarations */
static struct flb_aws_provider *standard_chain_create(struct flb_config
*config,
struct flb_tls *tls,
char *region,
char *sts_endpoint,
char *proxy,
struct
flb_aws_client_generator
*generator,
int eks_irsa);


/*
* The standard credential provider chain:
Expand Down Expand Up @@ -241,6 +255,66 @@ struct flb_aws_provider *flb_standard_chain_provider_create(struct flb_config
struct
flb_aws_client_generator
*generator)
{
struct flb_aws_provider *provider;
struct flb_aws_provider *tmp_provider;
char *eks_pod_role = NULL;
char *session_name;

eks_pod_role = getenv(EKS_POD_EXECUTION_ROLE);
if (eks_pod_role && strlen(eks_pod_role) > 0) {
/*
* eks fargate
* standard chain will be base provider used to
* assume the EKS_POD_EXECUTION_ROLE
*/
flb_debug("[aws_credentials] Using EKS_POD_EXECUTION_ROLE=%s", eks_pod_role);
tmp_provider = standard_chain_create(config, tls, region, sts_endpoint,
proxy, generator, FLB_FALSE);

if (!tmp_provider) {
return NULL;
}

session_name = flb_sts_session_name();
if (!session_name) {
flb_error("Failed to generate random STS session name");
flb_aws_provider_destroy(tmp_provider);
return NULL;
}

provider = flb_sts_provider_create(config, tls, tmp_provider, NULL,
eks_pod_role, session_name,
region, sts_endpoint,
NULL, generator);
if (!provider) {
flb_error("Failed to create EKS Fargate Credential Provider");
flb_aws_provider_destroy(tmp_provider);
return NULL;
}
/* session name can freed after provider is created */
flb_free(session_name);
session_name = NULL;

return provider;
}

/* standard case- not in EKS Fargate */
provider = standard_chain_create(config, tls, region, sts_endpoint,
proxy, generator, FLB_TRUE);
return provider;
}

static struct flb_aws_provider *standard_chain_create(struct flb_config
*config,
struct flb_tls *tls,
char *region,
char *sts_endpoint,
char *proxy,
struct
flb_aws_client_generator
*generator,
int eks_irsa)
{
struct flb_aws_provider *sub_provider;
struct flb_aws_provider *provider;
Expand Down Expand Up @@ -285,11 +359,13 @@ struct flb_aws_provider *flb_standard_chain_provider_create(struct flb_config
"standard chain");
}

sub_provider = flb_eks_provider_create(config, tls, region, sts_endpoint, proxy, generator);
if (sub_provider) {
/* EKS provider can fail if we are not running in k8s */;
mk_list_add(&sub_provider->_head, &implementation->sub_providers);
flb_debug("[aws_credentials] Initialized EKS Provider in standard chain");
if (eks_irsa == FLB_TRUE) {
sub_provider = flb_eks_provider_create(config, tls, region, sts_endpoint, proxy, generator);
if (sub_provider) {
/* EKS provider can fail if we are not running in k8s */;
mk_list_add(&sub_provider->_head, &implementation->sub_providers);
flb_debug("[aws_credentials] Initialized EKS Provider in standard chain");
}
}

sub_provider = flb_ec2_provider_create(config, generator);
Expand Down

0 comments on commit e1a0859

Please sign in to comment.