Skip to content

Commit

Permalink
assume roles using webIdentity
Browse files Browse the repository at this point in the history
  • Loading branch information
@ThaSami
ThaSami committed Nov 10, 2023
1 parent faf8c9a commit a3ab249
Showing 1 changed file with 19 additions and 2 deletions.
21 changes: 19 additions & 2 deletions pkg/scalers/aws_common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"errors"
"fmt"
"os"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
Expand Down Expand Up @@ -52,8 +53,24 @@ func getAwsConfig(ctx context.Context, awsRegion string, awsAuthorization awsAut

if metadata.awsAuthorization.awsRoleArn != "" {
stsSvc := sts.NewFromConfig(cfg)
stsCredentialProvider := stscreds.NewAssumeRoleProvider(stsSvc, metadata.awsAuthorization.awsRoleArn, func(options *stscreds.AssumeRoleOptions) {})
cfg.Credentials = aws.NewCredentialsCache(stsCredentialProvider)

// Create the web identity role provider
stsCredentialProvider := stscreds.NewWebIdentityRoleProvider(
stsSvc,
metadata.awsAuthorization.awsRoleArn,
stscreds.IdentityTokenFile(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")),
)

// Attempt to retrieve credentials
_, err := stsCredentialProvider.Retrieve(context.Background())
if err != nil {
// Setup AssumeRoleProvider as a fallback
assumeRoleCredentialProvider := stscreds.NewAssumeRoleProvider(stsSvc, metadata.awsAuthorization.awsRoleArn, func(options *stscreds.AssumeRoleOptions) {})
cfg.Credentials = aws.NewCredentialsCache(assumeRoleCredentialProvider)
} else {
// If the retrieval is successful, use the web identity credentials
cfg.Credentials = aws.NewCredentialsCache(stsCredentialProvider)
}
}

return &cfg, err
Expand Down

0 comments on commit a3ab249

Please sign in to comment.