Support non-access key based AWS credentials (#2032)

* Support non-access key based AWS credentials Currently kots determines if the Docker repo being used is an ECR repo. If it is, it expects to be provided with an access key and secret to authenticate with the ECR repo. However in some cases, kots will be run from an assumed role or EC2 instance that doesn't have an access key. The go SDK will use a default credential provider chain if no credentials are specified that will use the instance role or other credentials. This change allows kots to be installed without an access key when using ECR * Update pkg/docker/registry/ecr.go Co-authored-by: Salah Aldeen Al Saleh <sg.alsaleh@gmail.com> * Code review feedback * Update cmd/kots/cli/admin-console-push-images.go Co-authored-by: Salah Aldeen Al Saleh <sg.alsaleh@gmail.com> * remove unneeded parens Co-authored-by: Salah Aldeen Al Saleh <sg.alsaleh@gmail.com>
replicatedhq · Aug 4, 2021 · c960663 · c960663
1 parent 8585a44
commit c960663
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/cmd/kots/cli/admin-console-push-images.go b/cmd/kots/cli/admin-console-push-images.go
@@ -131,7 +131,9 @@ func getECRLogin(endpoint string, keyID string, accessKey string) (string, strin
 
 func getECRService(accessKeyID, secretAccessKey, zone string) *ecr.ECR {
 	awsConfig := &aws.Config{Region: aws.String(zone)}
-	awsConfig.Credentials = credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
+	if accessKeyID != "" && secretAccessKey != "" {
+		awsConfig.Credentials = credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
+	}
 	return ecr.New(session.New(awsConfig))
 }
 

diff --git a/pkg/docker/registry/ecr.go b/pkg/docker/registry/ecr.go
@@ -65,7 +65,9 @@ func GetECRBasicAuthToken(ecrEndpoint, username, password string) (string, error
 
 func getECRService(accessKeyID, secretAccessKey, zone string) *ecr.ECR {
 	awsConfig := &aws.Config{Region: aws.String(zone)}
-	awsConfig.Credentials = credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
+	if accessKeyID != "" && secretAccessKey != "" {
+		awsConfig.Credentials = credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
+	}
 	return ecr.New(session.New(awsConfig))
 }
 

diff --git a/pkg/s3/s3.go b/pkg/s3/s3.go
@@ -48,8 +48,16 @@ func GetConfig() *aws.Config {
 		region = "us-east-1"
 	}
 
+	accessKeyID := os.Getenv("S3_ACCESS_KEY_ID")
+	secretAccessKey := os.Getenv("S3_SECRET_ACCESS_KEY")
+
+	var creds *credentials.Credentials
+	if accessKeyID != "" && secretAccessKey != "" {
+		creds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
+	}
+
 	s3Config := &aws.Config{
-		Credentials:      credentials.NewStaticCredentials(os.Getenv("S3_ACCESS_KEY_ID"), os.Getenv("S3_SECRET_ACCESS_KEY"), ""),
+		Credentials:      creds,
 		Endpoint:         aws.String(os.Getenv("S3_ENDPOINT")),
 		Region:           aws.String(region),
 		DisableSSL:       aws.Bool(true),