From f1cb9b2c41eeb857bc1483b8f65513e557f70580 Mon Sep 17 00:00:00 2001 From: Shubham Agrawal Date: Tue, 12 Jul 2022 11:49:47 +0530 Subject: [PATCH] Add support for assume role to ECR (#55) * Add support for assume role to ECR * fix errors * fix UTs * fix format --- cmd/kaniko-ecr/main.go | 82 ++++++++++++++++++++++++++++++++++--- cmd/kaniko-ecr/main_test.go | 3 ++ go.mod | 5 ++- go.sum | 19 +++++---- 4 files changed, 94 insertions(+), 15 deletions(-) diff --git a/cmd/kaniko-ecr/main.go b/cmd/kaniko-ecr/main.go index dc3c97f..26465b4 100644 --- a/cmd/kaniko-ecr/main.go +++ b/cmd/kaniko-ecr/main.go @@ -2,6 +2,7 @@ package main import ( "context" + "encoding/base64" "encoding/json" "fmt" "io/ioutil" @@ -12,14 +13,19 @@ import ( "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/ecr" "github.com/aws/aws-sdk-go-v2/service/ecrpublic" - "github.com/aws/smithy-go" - kaniko "github.com/drone/drone-kaniko" - "github.com/drone/drone-kaniko/pkg/artifact" - "github.com/drone/drone-kaniko/pkg/docker" + awsv1 "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/session" + ecrv1 "github.com/aws/aws-sdk-go/service/ecr" + "github.com/aws/smithy-go" "github.com/joho/godotenv" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/urfave/cli" + + kaniko "github.com/drone/drone-kaniko" + "github.com/drone/drone-kaniko/pkg/artifact" + "github.com/drone/drone-kaniko/pkg/docker" ) const ( @@ -154,6 +160,16 @@ func main() { Usage: "ECR secret key", EnvVar: "PLUGIN_SECRET_KEY", }, + cli.StringFlag{ + Name: "assume-role", + Usage: "Assume a role", + EnvVar: "PLUGIN_ASSUME_ROLE", + }, + cli.StringFlag{ + Name: "external-id", + Usage: "Used along with assume role to assume a role", + EnvVar: "PLUGIN_EXTERNAL_ID", + }, cli.StringFlag{ Name: "snapshot-mode", Usage: "Specify one of full, redo or time as snapshot mode", @@ -228,6 +244,9 @@ func run(c *cli.Context) error { c.String("access-key"), c.String("secret-key"), registry, + c.String("assume-role"), + c.String("external-id"), + region, noPush, ) if err != nil { @@ -306,13 +325,22 @@ func run(c *cli.Context) error { return plugin.Exec() } -func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey, registry string, noPush bool) (*docker.Config, error) { +func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey, + registry, assumeRole, externalId, region string, noPush bool) (*docker.Config, error) { dockerConfig := docker.NewConfig() if dockerUsername != "" { dockerConfig.SetAuth(docker.RegistryV1, dockerUsername, dockerPassword) } + if accessKey == "" && assumeRole != "" { + var err error + accessKey, secretKey, err = getAssumeRoleCreds(region, assumeRole, externalId, "") + if err != nil { + return nil, err + } + } + // only setup auth when pushing or credentials are defined if !noPush || accessKey != "" { if registry == "" { @@ -419,6 +447,50 @@ func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy string) (er return err } +func getAssumeRoleCreds(region, roleArn, externalId, roleSessionName string) (string, string, error) { + sess, err := session.NewSession(&awsv1.Config{Region: ®ion}) + if err != nil { + return "", "", errors.Wrap(err, "failed to create aws session") + } + + svc := ecrv1.New(sess, &awsv1.Config{ + Credentials: stscreds.NewCredentials(sess, roleArn, func(p *stscreds.AssumeRoleProvider) { + if externalId != "" { + p.ExternalID = &externalId + } + }), + }) + + username, password, _, err := getAuthInfo(svc) + if err != nil { + return "", "", errors.Wrap(err, "failed to get ECR auth") + } + return username, password, nil +} + +func getAuthInfo(svc *ecrv1.ECR) (username, password, registry string, err error) { + var result *ecrv1.GetAuthorizationTokenOutput + var decoded []byte + + result, err = svc.GetAuthorizationToken(&ecrv1.GetAuthorizationTokenInput{}) + if err != nil { + return + } + + auth := result.AuthorizationData[0] + token := *auth.AuthorizationToken + decoded, err = base64.StdEncoding.DecodeString(token) + if err != nil { + return + } + + registry = strings.TrimPrefix(*auth.ProxyEndpoint, "https://") + creds := strings.Split(string(decoded), ":") + username = creds[0] + password = creds[1] + return +} + func isRegistryPublic(registry string) bool { return strings.HasPrefix(registry, ecrPublicDomain) } diff --git a/cmd/kaniko-ecr/main_test.go b/cmd/kaniko-ecr/main_test.go index dc9f319..64895c9 100644 --- a/cmd/kaniko-ecr/main_test.go +++ b/cmd/kaniko-ecr/main_test.go @@ -14,6 +14,9 @@ func TestCreateDockerConfig(t *testing.T) { "access-key", "secret-key", "ecr-registry", + "", + "", + "", false, ) if err != nil { diff --git a/go.mod b/go.mod index 1ec04f7..61c4dbb 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,7 @@ module github.com/drone/drone-kaniko require ( + github.com/aws/aws-sdk-go v1.44.51 github.com/aws/aws-sdk-go-v2 v1.8.1 github.com/aws/aws-sdk-go-v2/config v1.6.1 github.com/aws/aws-sdk-go-v2/service/ecr v1.4.3 @@ -12,7 +13,7 @@ require ( github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.3.0 github.com/urfave/cli v1.22.2 - golang.org/x/mod v0.4.2 + golang.org/x/mod v0.5.1 ) require ( @@ -28,7 +29,7 @@ require ( github.com/russross/blackfriday/v2 v2.0.1 // indirect github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect - golang.org/x/sys v0.0.0-20190412213103-97732733099d // indirect + golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect ) go 1.18 diff --git a/go.sum b/go.sum index 81e7944..1db31be 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,6 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/aws/aws-sdk-go v1.44.51 h1:jO9hoLynZOrMM4dj0KjeKIK+c6PA+HQbKoHOkAEye2Y= +github.com/aws/aws-sdk-go v1.44.51/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go-v2 v1.8.1 h1:GcFgQl7MsBygmeeqXyV1ivrTEmsVz/rdFJaTcltG9ag= github.com/aws/aws-sdk-go-v2 v1.8.1/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0= github.com/aws/aws-sdk-go-v2/config v1.6.1 h1:qrZINaORyr78syO1zfD4l7r4tZjy0Z1l0sy4jiysyOM= @@ -59,19 +61,20 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38= +golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=