Merge pull request #66 from robertstettner/assume-role

tboerger · web-flow · commit af61fd697c24 · 2021-05-21T19:18:34.000+02:00
diff --git a/go.mod b/go.mod
@@ -1,5 +1,7 @@
 module github.com/drone-plugins/drone-s3
 
+go 1.15
+
 require (
 	github.com/aws/aws-sdk-go v1.16.17
 	github.com/joho/godotenv v1.3.0
diff --git a/main.go b/main.go
@@ -36,6 +36,17 @@ func main() {
 			Usage:  "aws secret key",
 			EnvVar: "PLUGIN_SECRET_KEY,AWS_SECRET_ACCESS_KEY",
 		},
+		cli.StringFlag{
+			Name:   "assume-role",
+			Usage:  "aws iam role to assume",
+			EnvVar: "PLUGIN_ASSUME_ROLE,ASSUME_ROLE",
+		},
+		cli.StringFlag{
+			Name:   "assume-role-session-name",
+			Usage:  "aws iam role session name to assume",
+			Value:  "drone-s3",
+			EnvVar: "PLUGIN_ASSUME_ROLE_SESSION_NAME,ASSUME_ROLE_SESSION_NAME",
+		},
 		cli.StringFlag{
 			Name:   "bucket",
 			Usage:  "aws bucket",
@@ -129,23 +140,25 @@ func run(c *cli.Context) error {
 	}
 
 	plugin := Plugin{
-		Endpoint:        c.String("endpoint"),
-		Key:             c.String("access-key"),
-		Secret:          c.String("secret-key"),
-		Bucket:          c.String("bucket"),
-		Region:          c.String("region"),
-		Access:          c.String("acl"),
-		Source:          c.String("source"),
-		Target:          c.String("target"),
-		StripPrefix:     c.String("strip-prefix"),
-		Exclude:         c.StringSlice("exclude"),
-		Encryption:      c.String("encryption"),
-		ContentType:     c.Generic("content-type").(*StringMapFlag).Get(),
-		ContentEncoding: c.Generic("content-encoding").(*StringMapFlag).Get(),
-		CacheControl:    c.Generic("cache-control").(*StringMapFlag).Get(),
-		StorageClass:    c.String("storage-class"),
-		PathStyle:       c.Bool("path-style"),
-		DryRun:          c.Bool("dry-run"),
+		Endpoint:              c.String("endpoint"),
+		Key:                   c.String("access-key"),
+		Secret:                c.String("secret-key"),
+		AssumeRole:            c.String("assume-role"),
+		AssumeRoleSessionName: c.String("assume-role-session-name"),
+		Bucket:                c.String("bucket"),
+		Region:                c.String("region"),
+		Access:                c.String("acl"),
+		Source:                c.String("source"),
+		Target:                c.String("target"),
+		StripPrefix:           c.String("strip-prefix"),
+		Exclude:               c.StringSlice("exclude"),
+		Encryption:            c.String("encryption"),
+		ContentType:           c.Generic("content-type").(*StringMapFlag).Get(),
+		ContentEncoding:       c.Generic("content-encoding").(*StringMapFlag).Get(),
+		CacheControl:          c.Generic("cache-control").(*StringMapFlag).Get(),
+		StorageClass:          c.String("storage-class"),
+		PathStyle:             c.Bool("path-style"),
+		DryRun:                c.Bool("dry-run"),
 	}
 
 	return plugin.Exec()
diff --git a/plugin.go b/plugin.go
@@ -6,21 +6,26 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/s3"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/mattn/go-zglob"
 	log "github.com/sirupsen/logrus"
 )
 
 // Plugin defines the S3 plugin parameters.
 type Plugin struct {
-	Endpoint string
-	Key      string
-	Secret   string
-	Bucket   string
+	Endpoint              string
+	Key                   string
+	Secret                string
+	AssumeRole            string
+	AssumeRoleSessionName string
+	Bucket                string
 
 	// if not "", enable server-side encryption
 	// valid values are:
@@ -103,6 +108,8 @@ func (p *Plugin) Exec() error {
 
 	if p.Key != "" && p.Secret != "" {
 		conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
+	} else if p.AssumeRole != "" {
+		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName)
 	} else {
 		log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
 	}
@@ -272,3 +279,16 @@ func matchExtension(match string, stringMap map[string]string) string {
 
 	return ""
 }
+
+func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {
+	client := sts.New(session.New())
+	duration := time.Hour * 1
+	stsProvider := &stscreds.AssumeRoleProvider{
+		Client:          client,
+		Duration:        duration,
+		RoleARN:         roleArn,
+		RoleSessionName: roleSessionName,
+	}
+
+	return credentials.NewCredentials(stsProvider)
+}

-Original file line number
+Diff line change
@@ @@ -1,5 +1,7 @@ @@
 module github.com/drone-plugins/drone-s3
 +go 1.15
++
 require (
 	github.com/aws/aws-sdk-go v1.16.17
 	github.com/joho/godotenv v1.3.0