/
config.go
55 lines (50 loc) · 1.51 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
package s3
import (
"context"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/pkg/errors"
"go.jetpack.io/devbox/internal/devbox/devopt"
)
// TODO(landau): We could make these customizable so folks can use their own
// buckets and roles. Would require removing user from this lib.
const (
roleArn = "arn:aws:iam::984256416385:role/JetpackS3Federated"
bucket = "devbox.sh"
// this is a fixed value the bucket resides in this region, otherwise,
// user's default region will get pulled from config and region mismatch
// will result in user not being able to run global push
region = "us-east-2"
)
func assumeRole(ctx context.Context, c *devopt.Credentials) (*aws.Config, error) {
noPermsConfig, _ := config.LoadDefaultConfig(ctx)
stsClient := sts.NewFromConfig(noPermsConfig)
creds, err := stsClient.AssumeRoleWithWebIdentity(
ctx,
&sts.AssumeRoleWithWebIdentityInput{
RoleArn: aws.String(roleArn),
RoleSessionName: aws.String(c.Email),
WebIdentityToken: aws.String(c.IDToken),
},
)
if err != nil {
return nil, err
}
config, err := config.LoadDefaultConfig(
ctx,
config.WithCredentialsProvider(
credentials.NewStaticCredentialsProvider(
*creds.Credentials.AccessKeyId,
*creds.Credentials.SecretAccessKey,
*creds.Credentials.SessionToken,
),
),
)
config.Region = region
if err != nil {
return nil, errors.WithStack(err)
}
return &config, err
}