refactor: switch from awsutil to awsutilv2

go.mod

@@ -4,37 +4,40 @@ go 1.20
 
 require (
 	github.com/aws/aws-sdk-go v1.44.80
-	github.com/aws/aws-sdk-go-v2 v1.18.0
-	github.com/aws/aws-sdk-go-v2/config v1.18.19
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.18
+	github.com/aws/aws-sdk-go-v2 v1.20.1
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.99.0
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.31.1
-	github.com/aws/smithy-go v1.13.5
+	github.com/aws/aws-sdk-go-v2/service/iam v1.22.2
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.38.2
+	github.com/aws/aws-sdk-go-v2/service/sts v1.21.2
+	github.com/aws/smithy-go v1.14.1
 	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/boundary/sdk v0.0.33
 	github.com/hashicorp/go-secure-stdlib/awsutil v0.2.2
 	github.com/hashicorp/terraform-json v0.14.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
 	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.28.1
 )
 
+replace github.com/hashicorp/go-secure-stdlib/awsutil v0.2.2 => github.com/hashicorp/go-secure-stdlib/awsutilv2 v0.0.0-20230809054404-9029211590fd
+
 require (
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.26 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.12 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.18.33 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.39 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.33 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.13.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.14.1 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -53,7 +56,6 @@ require (
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/pointerstructure v1.2.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
 	golang.org/x/crypto v0.8.0 // indirect

internal/credential/attributes.go

@@ -9,7 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/hashicorp/boundary-plugin-aws/internal/errors"
 	"github.com/hashicorp/boundary-plugin-aws/internal/values"
-	"github.com/hashicorp/go-secure-stdlib/awsutil"
+	awsutilv2 "github.com/hashicorp/go-secure-stdlib/awsutil"
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
@@ -37,7 +37,7 @@ type CredentialAttributes struct {
 // GetCredentialsConfig parses values out of a protobuf struct secrets and returns a
 // CredentialsConfig used for configuring an AWS session. An error is returned if
 // any unrecognized fields are found in the protobuf struct input.
-func GetCredentialsConfig(secrets *structpb.Struct, attrs *CredentialAttributes, required bool) (*awsutil.CredentialsConfig, error) {
+func GetCredentialsConfig(secrets *structpb.Struct, attrs *CredentialAttributes, required bool) (*awsutilv2.CredentialsConfig, error) {
 	// initialize secrets if it is nil
 	// secrets can be nil because static credentials are optional
 	if secrets == nil {
@@ -55,6 +55,10 @@ func GetCredentialsConfig(secrets *structpb.Struct, attrs *CredentialAttributes,
 	}
 	delete(unknownFields, ConstAccessKeyId)
 
+	if accessKey != "" && GetCredentialType(accessKey) != Static {
+		badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = "requires long-term access key beginning with \"AKIA\" prefix"
+	}
+
 	secretKey, err := values.GetStringValue(secrets, ConstSecretAccessKey, required)
 	if err != nil {
 		badFields[fmt.Sprintf("secrets.%s", ConstSecretAccessKey)] = err.Error()
@@ -68,36 +72,53 @@ func GetCredentialsConfig(secrets *structpb.Struct, attrs *CredentialAttributes,
 		badFields[fmt.Sprintf("secrets.%s", s)] = "unrecognized field"
 	}
 
+	opts := []awsutilv2.Option{}
+	// logic for parsing the credential type
+	// supported types:
+	//		- user static credential
+	//		- ec2 assume role dynamic credential
+	//		- enviornment variables credential
+	switch {
+	// static credentials and dynamic credentials cannot be used together
+	case accessKey != "" && secretKey != "" && attrs.RoleArn != "":
+		badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = "conflicts with role_arn value"
+		badFields[fmt.Sprintf("secrets.%s", ConstSecretAccessKey)] = "conflicts with role_arn value"
+		badFields[fmt.Sprintf("secrets.%s", ConstRoleArn)] = "conflicts with access_key_id and secret_access_key values"
+	// static credential is missing it's secret_access_key
+	case accessKey != "" && secretKey == "":
+		badFields[fmt.Sprintf("secrets.%s", ConstSecretAccessKey)] = "missing required value"
+	// static credential is missing it's access_key_id
+	case accessKey == "" && secretKey != "":
+		badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = "missing required value"
+	// add static credentials
+	case accessKey != "" && secretKey != "":
+		opts = append(opts,
+			awsutilv2.WithAccessKey(accessKey),
+			awsutilv2.WithSecretKey(secretKey),
+		)
+	// add dynamic credentials
+	case attrs.RoleArn != "":
+		opts = append(opts, awsutilv2.WithRoleArn(attrs.RoleArn))
+	}
+
 	if len(badFields) > 0 {
 		return nil, errors.InvalidArgumentError("Error in the secrets provided", badFields)
 	}
 
-	opts := []awsutil.Option{
-		awsutil.WithEnvironmentCredentials(true),
-	}
-	if accessKey != "" && secretKey != "" {
-		opts = append(opts,
-			awsutil.WithAccessKey(accessKey),
-			awsutil.WithSecretKey(secretKey),
-		)
-	}
 	if attrs.Region != "" {
-		opts = append(opts, awsutil.WithRegion(attrs.Region))
-	}
-	if attrs.RoleArn != "" {
-		opts = append(opts, awsutil.WithRoleArn(attrs.RoleArn))
+		opts = append(opts, awsutilv2.WithRegion(attrs.Region))
 	}
 	if attrs.RoleExternalId != "" {
-		opts = append(opts, awsutil.WithRoleExternalId(attrs.RoleExternalId))
+		opts = append(opts, awsutilv2.WithRoleExternalId(attrs.RoleExternalId))
 	}
 	if attrs.RoleSessionName != "" {
-		opts = append(opts, awsutil.WithRoleSessionName(attrs.RoleSessionName))
+		opts = append(opts, awsutilv2.WithRoleSessionName(attrs.RoleSessionName))
 	}
 	if len(attrs.RoleTags) != 0 {
-		opts = append(opts, awsutil.WithRoleTags(attrs.RoleTags))
+		opts = append(opts, awsutilv2.WithRoleTags(attrs.RoleTags))
 	}
 
-	return awsutil.NewCredentialsConfig(opts...)
+	return awsutilv2.NewCredentialsConfig(opts...)
 }
 
 // GetCredentialAttributes parses values out of a protobuf struct input and returns a

internal/credential/attributes_test.go

@@ -6,7 +6,7 @@ package credential
 import (
 	"testing"
 
-	"github.com/hashicorp/go-secure-stdlib/awsutil"
+	awsutilv2 "github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -114,31 +114,44 @@ func TestGetCredentialsConfig(t *testing.T) {
 		secrets             *structpb.Struct
 		required            bool
 		attrs               *CredentialAttributes
-		expected            *awsutil.CredentialsConfig
+		expected            *awsutilv2.CredentialsConfig
 		expectedErrContains string
 	}{
 		{
-			name: "no secrets",
+			name: "no credentials",
 			attrs: &CredentialAttributes{
 				Region: "us-west-2",
 			},
-			expected: &awsutil.CredentialsConfig{
+			expected: &awsutilv2.CredentialsConfig{
 				Region: "us-west-2",
 			},
 		},
+		{
+			name: "with invalid static credentials",
+			secrets: &structpb.Struct{
+				Fields: map[string]*structpb.Value{
+					ConstAccessKeyId:     structpb.NewStringValue("ASIAfoobar"),
+					ConstSecretAccessKey: structpb.NewStringValue("bazqux"),
+				},
+			},
+			attrs: &CredentialAttributes{
+				Region: "us-west-2",
+			},
+			expectedErrContains: `secrets.access_key_id: requires long-term access key beginning with "AKIA" prefix`,
+		},
 		{
 			name: "with static credentials",
 			secrets: &structpb.Struct{
 				Fields: map[string]*structpb.Value{
-					ConstAccessKeyId:     structpb.NewStringValue("foobar"),
+					ConstAccessKeyId:     structpb.NewStringValue("AKIAfoobar"),
 					ConstSecretAccessKey: structpb.NewStringValue("bazqux"),
 				},
 			},
 			attrs: &CredentialAttributes{
 				Region: "us-west-2",
 			},
-			expected: &awsutil.CredentialsConfig{
-				AccessKey: "foobar",
+			expected: &awsutilv2.CredentialsConfig{
+				AccessKey: "AKIAfoobar",
 				SecretKey: "bazqux",
 				Region:    "us-west-2",
 			},
@@ -160,7 +173,7 @@ func TestGetCredentialsConfig(t *testing.T) {
 			name: "missing secret key",
 			secrets: &structpb.Struct{
 				Fields: map[string]*structpb.Value{
-					ConstAccessKeyId: structpb.NewStringValue("foobar"),
+					ConstAccessKeyId: structpb.NewStringValue("AKIAfoobar"),
 				},
 			},
 			required: true,
@@ -173,7 +186,7 @@ func TestGetCredentialsConfig(t *testing.T) {
 			name: "unknown fields",
 			secrets: &structpb.Struct{
 				Fields: map[string]*structpb.Value{
-					ConstAccessKeyId:     structpb.NewStringValue("foobar"),
+					ConstAccessKeyId:     structpb.NewStringValue("AKIAfoobar"),
 					ConstSecretAccessKey: structpb.NewStringValue("bazqux"),
 					"foo":                structpb.NewBoolValue(true),
 					"bar":                structpb.NewBoolValue(true),
@@ -188,16 +201,16 @@ func TestGetCredentialsConfig(t *testing.T) {
 			name: "valid ignore creds_last_rotated_time",
 			secrets: &structpb.Struct{
 				Fields: map[string]*structpb.Value{
-					ConstAccessKeyId:          structpb.NewStringValue("foobar"),
+					ConstAccessKeyId:          structpb.NewStringValue("AKIAfoobar"),
 					ConstSecretAccessKey:      structpb.NewStringValue("bazqux"),
 					ConstCredsLastRotatedTime: structpb.NewStringValue("2006-01-02T15:04:05+07:00"),
 				},
 			},
 			attrs: &CredentialAttributes{
 				Region: "us-west-2",
 			},
-			expected: &awsutil.CredentialsConfig{
-				AccessKey: "foobar",
+			expected: &awsutilv2.CredentialsConfig{
+				AccessKey: "AKIAfoobar",
 				SecretKey: "bazqux",
 				Region:    "us-west-2",
 			},
@@ -216,7 +229,7 @@ func TestGetCredentialsConfig(t *testing.T) {
 					"foo": "bar",
 				},
 			},
-			expected: &awsutil.CredentialsConfig{
+			expected: &awsutilv2.CredentialsConfig{
 				Region:          "us-west-2",
 				RoleARN:         "arn:aws:iam::123456789012:role/S3Access",
 				RoleExternalId:  "1234567890",
@@ -230,7 +243,7 @@ func TestGetCredentialsConfig(t *testing.T) {
 			name: "with static credential & assume role",
 			secrets: &structpb.Struct{
 				Fields: map[string]*structpb.Value{
-					ConstAccessKeyId:     structpb.NewStringValue("foobar"),
+					ConstAccessKeyId:     structpb.NewStringValue("AKIAfoobar"),
 					ConstSecretAccessKey: structpb.NewStringValue("bazqux"),
 				},
 			},
@@ -243,17 +256,7 @@ func TestGetCredentialsConfig(t *testing.T) {
 					"foo": "bar",
 				},
 			},
-			expected: &awsutil.CredentialsConfig{
-				AccessKey:       "foobar",
-				SecretKey:       "bazqux",
-				Region:          "us-west-2",
-				RoleARN:         "arn:aws:iam::123456789012:role/S3Access",
-				RoleExternalId:  "1234567890",
-				RoleSessionName: "test-session",
-				RoleTags: map[string]string{
-					"foo": "bar",
-				},
-			},
+			expectedErrContains: "secrets.access_key_id: conflicts with role_arn value, secrets.role_arn: conflicts with access_key_id and secret_access_key values, secrets.secret_access_key: conflicts with role_arn value",
 		},
 	}