Add support for AWS Auth with WebIdentity/OIDC

S3/Config.py

@@ -15,6 +15,9 @@
 import io
 import sys
 import json
+import time
+import urllib.parse
+import xml.etree.cElementTree
 from . import Progress
 from .SortedDict import SortedDict
 try:
@@ -268,23 +271,48 @@ def role_config(self):
         Get credentials from IAM authentication
         """
         try:
-            conn = httplib.HTTPConnection(host='169.254.169.254', timeout = 2)
-            conn.request('GET', "/latest/meta-data/iam/security-credentials/")
-            resp = conn.getresponse()
-            files = resp.read()
-            if resp.status == 200 and len(files)>1:
-                conn.request('GET', "/latest/meta-data/iam/security-credentials/%s" % files.decode('utf-8'))
-                resp=conn.getresponse()
-                if resp.status == 200:
-                    resp_content = config_unicodise(resp.read())
-                    creds=json.loads(resp_content)
-                    Config().update_option('access_key', config_unicodise(creds['AccessKeyId']))
-                    Config().update_option('secret_key', config_unicodise(creds['SecretAccessKey']))
-                    Config().update_option('access_token', config_unicodise(creds['Token']))
+            role_arn = os.environ.get('AWS_ROLE_ARN')
+            web_identity_token_file = os.environ.get('AWS_WEB_IDENTITY_TOKEN_FILE')
+            role_session_name = 'role-session-%s' % (int(time.time()))
+            if web_identity_token_file:
+                with open(web_identity_token_file) as f:
+                    web_identity_token = f.read()
+                params = { 
+                  "Action": "AssumeRoleWithWebIdentity",
+                  "Version": "2011-06-15",
+                  "RoleArn": role_arn,
+                  "RoleSessionName": role_session_name,
+                  "WebIdentityToken": web_identity_token
+                }
+                conn = httplib.HTTPSConnection(host='sts.amazonaws.com', timeout = 2)
+                conn.request('POST', '/?' + urllib.parse.urlencode(params))
+                resp = conn.getresponse()
+                files = resp.read()
+                if resp.status == 200 and len(files)>1:
+                    creds = parse_xml_to_dict(files)
+                    Config().update_option('access_key', creds['AssumeRoleWithWebIdentityResult']['Credentials']['AccessKeyId'])
+                    Config().update_option('secret_key', creds['AssumeRoleWithWebIdentityResult']['Credentials']['SecretAccessKey'])
+                    Config().update_option('access_token', creds['AssumeRoleWithWebIdentityResult']['Credentials']['SessionToken'])
                 else:
                     raise IOError
             else:
-                raise IOError
+                conn = httplib.HTTPConnection(host='169.254.169.254', timeout = 2)
+                conn.request('GET', "/latest/meta-data/iam/security-credentials/")
+                resp = conn.getresponse()
+                files = resp.read()
+                if resp.status == 200 and len(files)>1:
+                    conn.request('GET', "/latest/meta-data/iam/security-credentials/%s" % files.decode('utf-8'))
+                    resp=conn.getresponse()
+                    if resp.status == 200:
+                        resp_content = config_unicodise(resp.read())
+                        creds=json.loads(resp_content)
+                        Config().update_option('access_key', config_unicodise(creds['AccessKeyId']))
+                        Config().update_option('secret_key', config_unicodise(creds['SecretAccessKey']))
+                        Config().update_option('access_token', config_unicodise(creds['Token']))
+                    else:
+                        raise IOError
+                else:
+                    raise IOError
         except:
             raise