feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to pass external ID for the secondary role when required (#122)

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE trigger

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE trigger #2

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE main.go

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE main.go

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE s3.go

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE s3.go

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE s3.go logging

* feat: [CI-14214]: Add PLUGIN_USER_ROLE_EXTERNAL_ID to CACHE s3.go client setup

* feat: [CI-14214]: s3.go client setup

* feat: [CI-14214]: Updating tests.

* feat: [CI-14214]: Updating tests.

* feat: [CI-14214]: Updating tests.

* feat: [CI-14214]: Updating userrolearn in test file.

* feat: [CI-14214]: Updating userrolearn in test file.

* feat: [CI-14214]: Updating userrolearn in test file.

* feat: [CI-14214]: Updating userrolearn in test file.

* feat: [CI-14214]: Updating userrolearn in test file. #5

* feat: [CI-14214]: Refactoring to make tests work.

* feat: [CI-14214]: Refactoring to make tests work.

* feat: [CI-14214]: Refactoring to make tests work. - 3

* feat: [CI-14214]: Refactoring to make tests work. - 4

* feat: [CI-14214]: Reverting all code to previous state to check if tests were working correctly.

* feat: [CI-14214]: Reverting all code to previous state to check if tests were working correctly. - 2

* feat: [CI-14214]: Refactoring to make tests work. - 5

* feat: [CI-14214]: Refactoring to make tests work. - 6

* feat: [CI-14214]: Refactoring to make tests work. - 7

* feat: [CI-14214]: Refactoring to make tests work. - 8

* feat: [CI-14214]: Refactoring to make tests work. - 9

* feat: [CI-14214]: Refactoring to make tests work. - 10

* Refactoring to make tests work. - 11

* feat: [CI-14214] - Refactoring S3 backend code.. - 12

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 13

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 14

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 15

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 16

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 17

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 18

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 19

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 20

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 21

* feat: [CI-14214] - Refactoring S3 backend codeto make tests work. - 21

* feat: [CI-14214] - Refactoring S3 backend code to make tests work. - 22

* feat: [CI-14214] - Refactoring S3 backend code to make tests work. - 23

* feat: [CI-14214] - Refactoring S3 backend code to make tests work. - 24

* feat: [CI-14214] - Refactoring S3_test backend code to make tests work. - 25

* feat: [CI-14214] - Refactoring S3_test. - 26

* feat: [CI-14214] - Refactoring S3_test. - 27

* feat: [CI-14214] - Refactoring S3_test. - 28

* feat: [CI-14214] - Refactoring S3_test. - 29

* feat: [CI-14214] - Refactoring S3_test. - 30

* feat: [CI-14214] - Refactoring S3_test. - 31

* feat: [CI-14214] - Refactoring S3_test. - 32

* feat: [CI-14214] - Refactoring S3_test. - 33

* feat: [CI-14214] - Refactoring S3_test. - 34

* feat: [CI-14214] - Refactoring S3_test. - 35

* feat: [CI-14214] - Refactoring S3_test. - 36

* feat: [CI-14214] - Refactoring S3_test. - 37

* feat: [CI-14214] - Refactoring S3_test. - 38

* feat: [CI-14214] - Refactoring S3_test. - 39

* feat: [CI-14214] - Refactoring S3_test. - 40

* feat: [CI-14214] - Refactoring S3_test. - 41

* feat: [CI-14214] - Refactoring S3cache. - 42

* feat: [CI-14214] - Refactoring S3cache. - 43

* feat: [CI-14214] - Refactoring S3cache. - 44

* feat: [CI-14214] - Refactoring S3cache. - 45

* feat: [CI-14214] - Refactoring S3cache. - 46

* feat: [CI-14214] - Refactoring S3cache. - 47

* feat: [CI-14214] - Refactoring S3cache. - 48

* feat: [CI-14214] - Refactoring S3cache. - 49

* feat: [CI-14214] - Refactoring S3cache. - 50

* feat: [CI-14214] - Final Refactoring. - 1

* feat: [CI-14214] - Final Refactoring. - 2

* feat: [CI-14214] - Final Refactoring. - 3

* Update storage/backend/s3/s3.go

Removing loggers.

Co-authored-by: OP (oppenheimer) <[email protected]>

* Update storage/backend/s3/s3.go

Removing loggers.

Co-authored-by: OP (oppenheimer) <[email protected]>

* Update storage/backend/s3/s3.go

Removing loggers.

Co-authored-by: OP (oppenheimer) <[email protected]>

* Update storage/backend/s3/s3.go

Changing warning message.

Co-authored-by: OP (oppenheimer) <[email protected]>

* Updating README

* Remove excessive logging.

* Update README.md

* Remove redundant files.

---------

Co-authored-by: OP (oppenheimer) <[email protected]>

Author: DevanshMathur19

.gitignore

@@ -37,3 +37,5 @@ release/
 # Azurite temp files
 __*__
 __*__.json
+
+update_script.sh

README.md

@@ -255,6 +255,28 @@ Targets:
   help           	  Shows this help message
 ```
 
+## Configuration Variables for Secondary Role Assumption with External ID
+
+The following environment variables enable the plugin to assume a secondary IAM role using IRSA, with an External ID if required by the role’s trust policy.
+
+### Variables
+
+#### `PLUGIN_USER_ROLE_ARN`
+
+- **Type**: String
+- **Required**: No
+- **Description**: Specifies the secondary IAM role to be assumed by the plugin, allowing it to inherit permissions associated with this role and access specific AWS resources.
+
+#### `PLUGIN_USER_ROLE_EXTERNAL_ID`
+
+- **Type**: String
+- **Required**: No
+- **Description**: Provide the External ID necessary for the role assumption process if the secondary role’s trust policy mandates it. This is often required for added security, ensuring that only authorized entities assume the role.
+
+### Usage Notes
+
+- If the role secondary role (`PLUGIN_USER_ROLE_ARN`) requires an External ID then pass it through `PLUGIN_USER_ROLE_EXTERNAL_ID`.
+
 ## Releases
 
 Release management handled by the CI pipeline. When you create a tag on `master` branch, CI handles the rest.
@@ -299,3 +321,4 @@ One bigger area of future investment is to add a couple of [new storage backends
 ## License and Copyright
 
 This project is licensed under the [Apache License 2.0](LICENSE).
+.

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/google/go-cmp v0.5.9
 	github.com/klauspost/compress v1.16.3
 	github.com/pkg/sftp v1.13.5
+	github.com/sirupsen/logrus v1.9.3
 	github.com/urfave/cli/v2 v2.25.0
 	golang.org/x/crypto v0.14.0
 	golang.org/x/oauth2 v0.6.0

go.sum

@@ -114,6 +114,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -166,6 +168,7 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

main.go

@@ -420,10 +420,15 @@ func main() {
 			EnvVars: []string{"PLUGIN_USER_ROLE_ARN", "AWS_USER_ROLE_ARN"},
 		},
 		&cli.StringFlag{
-			Name:   "external-id",
-			Usage:  "external ID to use when assuming role",
+			Name:    "external-id",
+			Usage:   "external ID to use when assuming role",
 			EnvVars: []string{"PLUGIN_EXTERNAL_ID"},
 		},
+		&cli.StringFlag{
+			Name:    "user-role-external-id",
+			Usage:   "external ID to use when assuming secondary role",
+			EnvVars: []string{"PLUGIN_USER_ROLE_EXTERNAL_ID"},
+		},
 
 		// GCS specific Configs flags
 
@@ -561,7 +566,7 @@ func run(c *cli.Context) error {
 		logLevel = internal.LogLevelDebug
 	}
 
-	logger := internal.NewLogger(logLevel, c.String("log.format"), "drone-cache")
+	logger := internal.NewLogger(logLevel, c.String("log.format"), "drone-cache-logger")
 	level.Debug(logger).Log("version", version, "commit", commit, "date", date)
 
 	plg := plugin.New(log.With(logger, "component", "plugin"))
@@ -637,6 +642,7 @@ func run(c *cli.Context) error {
 			UserRoleArn:           c.String("user-role-arn"),
 			OIDCTokenID:           c.String("oidc-token-id"),
 			ExternalID:            c.String("external-id"),
+			UserRoleExternalID:    c.String("user-role-external-id"),
 		},
 		Azure: azure.Config{
 			AccountName:    c.String("azure.account-name"),

storage/backend/s3/config.go

@@ -1,5 +1,7 @@
 package s3
 
+import "github.com/aws/aws-sdk-go/aws/credentials"
+
 // Config is a structure to store S3  backend configuration.
 type Config struct {
 	// Indicates the files ACL, which should be one,
@@ -21,6 +23,9 @@ type Config struct {
 	UserRoleArn           string
 	OIDCTokenID           string
 	ExternalID            string
+	UserRoleExternalID    string
+
+	Credentials *credentials.Credentials
 
 	// us-east-1
 	// us-west-1

storage/backend/s3/s3.go

@@ -16,13 +16,13 @@ import (
 	"github.com/aws/aws-sdk-go/service/s3/s3manager"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/go-kit/kit/log"
-	"github.com/go-kit/kit/log/level"
+	"github.com/sirupsen/logrus"
 
 	"github.com/meltwater/drone-cache/internal"
 	"github.com/meltwater/drone-cache/storage/common"
 )
 
-// Backend implements storage.Backend for AWs S3.
+// Backend implements storage.Backend for AWS S3.
 type Backend struct {
 	logger log.Logger
 
@@ -32,52 +32,76 @@ type Backend struct {
 	client     *s3.S3
 }
 
-// New creates an S3 backend.
+// New creates a new S3 backend with lazy-loaded credentials.
 func New(l log.Logger, c Config, debug bool) (*Backend, error) {
+
 	conf := &aws.Config{
 		Region:           aws.String(c.Region),
 		Endpoint:         &c.Endpoint,
 		DisableSSL:       aws.Bool(strings.HasPrefix(c.Endpoint, "http://")),
 		S3ForcePathStyle: aws.Bool(c.PathStyle),
 	}
 
-	if c.Key != "" && c.Secret != "" { // nolint:gocritic
+	// Create the initial session
+	sess, err := session.NewSession(conf)
+	if err != nil {
+		logrus.WithError(err).Error("Could not instantiate AWS session")
+		return nil, fmt.Errorf("AWS session creation failed: %w", err)
+	}
+	// Inject credentials after session creation
+	if c.Key != "" && c.Secret != "" {
+		logrus.Info("Using static credentials (Key/Secret provided)")
 		conf.Credentials = credentials.NewStaticCredentials(c.Key, c.Secret, "")
 	} else if c.AssumeRoleARN != "" {
+		// Use OIDC Token or assume role
 		if c.OIDCTokenID != "" {
-			// Assume role with OIDC
+			logrus.Info("Attempting to assume role with OIDC")
 			creds, err := assumeRoleWithWebIdentity(c.AssumeRoleARN, c.AssumeRoleSessionName, c.OIDCTokenID)
 			if err != nil {
-				level.Error(l).Log("msg", "failed to assume role with OIDC", "error", err)
+				logrus.WithError(err).Error("Failed to assume role with OIDC")
 				return nil, err
 			}
 			conf.Credentials = creds
+			logrus.Info("Successfully assumed role with OIDC")
 		} else {
 			conf.Credentials = assumeRole(c.AssumeRoleARN, c.AssumeRoleSessionName, c.ExternalID)
 		}
 	} else {
-		level.Warn(l).Log("msg", "aws key and/or Secret not provided (falling back to anonymous credentials)")
-	}
-
-	sess, err := session.NewSession(conf)
-	if err != nil {
-		level.Warn(l).Log("msg", "could not instantiate session", "error", err)
-		return nil, err
+		logrus.Warn("No AWS credentials provided or role assumed; using default machine credentials for AWS requests")
 	}
 
 	var client *s3.S3
-	// If user role ARN is set then assume role here
+
+	// If UserRoleArn is set, create a new session and assume the role
 	if len(c.UserRoleArn) > 0 {
-		confRoleArn := aws.Config{
-			Region:      aws.String(c.Region),
-			Credentials: stscreds.NewCredentials(sess, c.UserRoleArn),
-		}
+		logrus.WithFields(logrus.Fields{
+			"UserRoleArn":        c.UserRoleArn,
+			"UserRoleExternalID": c.UserRoleExternalID,
+		}).Info("Setting up credentials with UserRoleArn")
+
+		creds := stscreds.NewCredentials(sess, c.UserRoleArn, func(provider *stscreds.AssumeRoleProvider) {
+			if c.UserRoleExternalID != "" {
+				logrus.WithField("ExternalID", c.UserRoleExternalID).Info("Setting up creds with UserRoleExternalID")
+				provider.ExternalID = aws.String(c.UserRoleExternalID)
+			}
+		})
+
+		// Update the config with the assumed role credentials, reuse the session
+		conf.Credentials = creds
+		client = s3.New(sess, conf)
+		logrus.Info("Created S3 client with assumed user role")
+		// }
 
-		client = s3.New(sess, &confRoleArn)
 	} else {
-		client = s3.New(sess)
+		// Use the original session for the S3 client if no UserRoleArn is set
+		client = s3.New(sess, conf)
+		logrus.Info("Created S3 client with default session")
 	}
 
+	logrus.WithFields(logrus.Fields{
+		"Client": client,
+	}).Info("New Client set here.")
+
 	backend := &Backend{
 		logger:     l,
 		bucket:     c.Bucket,
@@ -89,6 +113,7 @@ func New(l log.Logger, c Config, debug bool) (*Backend, error) {
 		backend.acl = c.ACL
 	}
 
+
 	return backend, nil
 }
 
@@ -193,22 +218,30 @@ func (b *Backend) List(ctx context.Context, p string) ([]common.FileEntry, error
 	return entries, err
 }
 
-func assumeRole(roleArn, roleSessionName string, externalID string) *credentials.Credentials {
-	sess, _ := session.NewSession()
-	client := sts.New(sess) // nolint:staticcheck
-	duration := time.Hour * 1
-	stsProvider := &stscreds.AssumeRoleProvider{
-		Client:          client,
-		Duration:        duration,
+// AssumeRole logic
+func assumeRole(roleArn, roleSessionName, externalID string) *credentials.Credentials {
+
+	sess, err := session.NewSession()
+	if err != nil {
+		logrus.WithError(err).Error("Failed to create session for role assumption")
+		return nil
+	}
+
+	stsClient := sts.New(sess)
+	roleProvider := &stscreds.AssumeRoleProvider{
+		Client:          stsClient,
 		RoleARN:         roleArn,
 		RoleSessionName: roleSessionName,
+		Duration:        time.Hour, // 1-hour session
 	}
 
 	if externalID != "" {
-		stsProvider.ExternalID = &externalID
+		roleProvider.ExternalID = aws.String(externalID)
 	}
+
+	creds := credentials.NewCredentials(roleProvider)
 
-	return credentials.NewCredentials(stsProvider)
+	return creds
 }
 
 func assumeRoleWithWebIdentity(roleArn, roleSessionName, webIdentityToken string) (*credentials.Credentials, error) {

storage/backend/s3/s3_test.go

@@ -13,9 +13,11 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/go-kit/kit/log"
+	"github.com/sirupsen/logrus"
 
 	"github.com/meltwater/drone-cache/test"
 )
@@ -55,22 +57,52 @@ func TestRoundTrip(t *testing.T) {
 	roundTrip(t, backend)
 }
 
-func TestRoundTripWithAssumeRole(t *testing.T) {
+func TestRoundTripWithAssumeRoleAndExternalID(t *testing.T) {
 	t.Parallel()
 
+	// Log the credentials being used for the test (without exposing secrets)
+	logrus.WithFields(logrus.Fields{
+		"RoleARN": "arn:aws:iam::account-id:role/TestRole",
+	}).Info("Setting up AssumeRole test")
+
+	// Setting up the base session with static credentials
+	baseSess, err := session.NewSession(&aws.Config{
+		Region:      aws.String(defaultRegion),
+		Endpoint:    aws.String(endpoint),
+		DisableSSL:  aws.Bool(true),
+		Credentials: credentials.NewStaticCredentials(accessKey, secretAccessKey, ""), // Use static credentials for the base session
+	})
+	if err != nil {
+		t.Fatalf("failed to create base session: %v", err)
+	}
+
+	// Use stscreds.NewCredentials for assuming the role
+	creds := stscreds.NewCredentials(baseSess, "arn:aws:iam::account-id:role/TestRole", func(p *stscreds.AssumeRoleProvider) {
+		p.ExternalID = aws.String("example-external-id") // Optionally pass ExternalID
+		logrus.WithField("externalID", "example-external-id").Info("Using external ID for assume role")
+	})
+
+	// Setup backend using the assumed role credentials
 	backend, cleanUp := setup(t, Config{
 		ACL:                   acl,
 		Bucket:                "s3-round-trip-with-role",
 		Endpoint:              endpoint,
 		StsEndpoint:           endpoint,
-		Key:                   userAccessKey,
-		PathStyle:             true, // Should be true for minio and false for AWS.
+		PathStyle:             true,
+		Key:                   accessKey,
+		Secret:                secretAccessKey,
 		Region:                defaultRegion,
-		Secret:                userSecretAccessKey,
 		AssumeRoleARN:         "arn:aws:iam::account-id:role/TestRole",
 		AssumeRoleSessionName: "drone-cache",
+		ExternalID:            "example-external-id",
+		UserRoleExternalID:    "example-external-id",
+		Credentials:           creds, // Pass the assumed role credentials here
 	})
+
+	// Cleanup after the test
 	t.Cleanup(cleanUp)
+
+	// Perform the round-trip test
 	roundTrip(t, backend)
 }
 
@@ -124,15 +156,32 @@ func setup(t *testing.T, config Config) (*Backend, func()) {
 }
 
 func newClient(config Config) *s3.S3 {
+	var creds *credentials.Credentials
+	if config.Key != "" && config.Secret != "" {
+		creds = credentials.NewStaticCredentials(config.Key, config.Secret, "")
+	} else {
+		creds = credentials.NewEnvCredentials()
+		logrus.Info("Using environment-based credentials for S3 client")
+	}
+
 	conf := &aws.Config{
-		Region:           aws.String(defaultRegion),
-		Endpoint:         aws.String(endpoint),
-		DisableSSL:       aws.Bool(strings.HasPrefix(endpoint, "http://")),
-		S3ForcePathStyle: aws.Bool(true),
-		Credentials:      credentials.NewStaticCredentials(config.Key, config.Secret, ""),
+		Region:                        aws.String(defaultRegion),
+		Endpoint:                      aws.String(endpoint),
+		DisableSSL:                    aws.Bool(strings.HasPrefix(endpoint, "http://")),
+		S3ForcePathStyle:              aws.Bool(true),
+		Credentials:                   creds,
+		CredentialsChainVerboseErrors: aws.Bool(true),
 	}
 
-	return s3.New(session.Must(session.NewSessionWithOptions(session.Options{})), conf)
+	logrus.WithFields(logrus.Fields{
+		"Region":    defaultRegion,
+		"Endpoint":  endpoint,
+		"AccessKey": config.Key,
+	}).Info("Creating new S3 client")
+
+	return s3.New(session.Must(session.NewSessionWithOptions(session.Options{
+		SharedConfigState: session.SharedConfigEnable,
+	})), conf)
 }
 
 func getEnv(key, defaultVal string) string {