Add support for assume role to ECR (#55)

* Add support for assume role to ECR * fix errors * fix UTs * fix format
drone · Jul 12, 2022 · f1cb9b2 · f1cb9b2
1 parent c7770b6
commit f1cb9b2
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 15 deletions.
diff --git a/cmd/kaniko-ecr/main.go b/cmd/kaniko-ecr/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -12,14 +13,19 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
-  "github.com/aws/smithy-go"
-	kaniko "github.com/drone/drone-kaniko"
-	"github.com/drone/drone-kaniko/pkg/artifact"
-	"github.com/drone/drone-kaniko/pkg/docker"
+	awsv1 "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
+	"github.com/aws/aws-sdk-go/aws/session"
+	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/aws/smithy-go"
 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
+
+	kaniko "github.com/drone/drone-kaniko"
+	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
 )
 
 const (
@@ -154,6 +160,16 @@ func main() {
 			Usage:  "ECR secret key",
 			EnvVar: "PLUGIN_SECRET_KEY",
 		},
+		cli.StringFlag{
+			Name:   "assume-role",
+			Usage:  "Assume a role",
+			EnvVar: "PLUGIN_ASSUME_ROLE",
+		},
+		cli.StringFlag{
+			Name:   "external-id",
+			Usage:  "Used along with assume role to assume a role",
+			EnvVar: "PLUGIN_EXTERNAL_ID",
+		},
 		cli.StringFlag{
 			Name:   "snapshot-mode",
 			Usage:  "Specify one of full, redo or time as snapshot mode",
@@ -228,6 +244,9 @@ func run(c *cli.Context) error {
 		c.String("access-key"),
 		c.String("secret-key"),
 		registry,
+		c.String("assume-role"),
+		c.String("external-id"),
+		region,
 		noPush,
 	)
 	if err != nil {
@@ -306,13 +325,22 @@ func run(c *cli.Context) error {
 	return plugin.Exec()
 }
 
-func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey, registry string, noPush bool) (*docker.Config, error) {
+func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey,
+	registry, assumeRole, externalId, region string, noPush bool) (*docker.Config, error) {
 	dockerConfig := docker.NewConfig()
 
 	if dockerUsername != "" {
 		dockerConfig.SetAuth(docker.RegistryV1, dockerUsername, dockerPassword)
 	}
 
+	if accessKey == "" && assumeRole != "" {
+		var err error
+		accessKey, secretKey, err = getAssumeRoleCreds(region, assumeRole, externalId, "")
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// only setup auth when pushing or credentials are defined
 	if !noPush || accessKey != "" {
 		if registry == "" {
@@ -419,6 +447,50 @@ func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy string) (er
 	return err
 }
 
+func getAssumeRoleCreds(region, roleArn, externalId, roleSessionName string) (string, string, error) {
+	sess, err := session.NewSession(&awsv1.Config{Region: &region})
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to create aws session")
+	}
+
+	svc := ecrv1.New(sess, &awsv1.Config{
+		Credentials: stscreds.NewCredentials(sess, roleArn, func(p *stscreds.AssumeRoleProvider) {
+			if externalId != "" {
+				p.ExternalID = &externalId
+			}
+		}),
+	})
+
+	username, password, _, err := getAuthInfo(svc)
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to get ECR auth")
+	}
+	return username, password, nil
+}
+
+func getAuthInfo(svc *ecrv1.ECR) (username, password, registry string, err error) {
+	var result *ecrv1.GetAuthorizationTokenOutput
+	var decoded []byte
+
+	result, err = svc.GetAuthorizationToken(&ecrv1.GetAuthorizationTokenInput{})
+	if err != nil {
+		return
+	}
+
+	auth := result.AuthorizationData[0]
+	token := *auth.AuthorizationToken
+	decoded, err = base64.StdEncoding.DecodeString(token)
+	if err != nil {
+		return
+	}
+
+	registry = strings.TrimPrefix(*auth.ProxyEndpoint, "https://")
+	creds := strings.Split(string(decoded), ":")
+	username = creds[0]
+	password = creds[1]
+	return
+}
+
 func isRegistryPublic(registry string) bool {
 	return strings.HasPrefix(registry, ecrPublicDomain)
 }
diff --git a/cmd/kaniko-ecr/main_test.go b/cmd/kaniko-ecr/main_test.go
@@ -14,6 +14,9 @@ func TestCreateDockerConfig(t *testing.T) {
 		"access-key",
 		"secret-key",
 		"ecr-registry",
+		"",
+		"",
+		"",
 		false,
 	)
 	if err != nil {

diff --git a/go.mod b/go.mod
@@ -1,6 +1,7 @@
 module github.com/drone/drone-kaniko
 
 require (
+	github.com/aws/aws-sdk-go v1.44.51
 	github.com/aws/aws-sdk-go-v2 v1.8.1
 	github.com/aws/aws-sdk-go-v2/config v1.6.1
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.4.3
@@ -12,7 +13,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.3.0
 	github.com/urfave/cli v1.22.2
-	golang.org/x/mod v0.4.2
+	golang.org/x/mod v0.5.1
 )
 
 require (
@@ -28,7 +29,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
-	golang.org/x/sys v0.0.0-20190412213103-97732733099d // indirect
+	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
 )
 
 go 1.18
diff --git a/go.sum b/go.sum
@@ -1,4 +1,6 @@
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/aws/aws-sdk-go v1.44.51 h1:jO9hoLynZOrMM4dj0KjeKIK+c6PA+HQbKoHOkAEye2Y=
+github.com/aws/aws-sdk-go v1.44.51/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v1.8.1 h1:GcFgQl7MsBygmeeqXyV1ivrTEmsVz/rdFJaTcltG9ag=
 github.com/aws/aws-sdk-go-v2 v1.8.1/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0=
 github.com/aws/aws-sdk-go-v2/config v1.6.1 h1:qrZINaORyr78syO1zfD4l7r4tZjy0Z1l0sy4jiysyOM=
@@ -59,19 +61,20 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
+golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=