Merge pull request #16568 from zetaab/fixawsauth

fix KOPS_AWS_ROLE_ARN assume behaviour
kubernetes · May 13, 2024 · cbdc646 · cbdc646
2 parents 305860c + 83289b9
commit cbdc646
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 25 deletions.
diff --git a/upup/pkg/fi/cloudup/awsup/aws_cloud.go b/upup/pkg/fi/cloudup/awsup/aws_cloud.go
@@ -262,6 +262,32 @@ func getCloudInstancesFromRegion(region string) AWSCloud {
 	return cloud
 }
 
+func loadAWSConfig(ctx context.Context, region string) (aws.Config, error) {
+	loadOptions := []func(*awsconfig.LoadOptions) error{
+		awsconfig.WithRegion(region),
+		awsconfig.WithClientLogMode(aws.LogRetries),
+		awsconfig.WithLogger(awsLogger{}),
+		awsconfig.WithRetryer(func() aws.Retryer {
+			return retry.NewStandard()
+		}),
+	}
+
+	// assumes the role before executing commands
+	roleARN := os.Getenv("KOPS_AWS_ROLE_ARN")
+	if roleARN != "" {
+		cfg, err := awsconfig.LoadDefaultConfig(ctx, loadOptions...)
+		if err != nil {
+			return aws.Config{}, fmt.Errorf("failed to load default aws config: %w", err)
+		}
+		stsClient := sts.NewFromConfig(cfg)
+		assumeRoleProvider := stscredsv2.NewAssumeRoleProvider(stsClient, roleARN)
+
+		loadOptions = append(loadOptions, awsconfig.WithCredentialsProvider(assumeRoleProvider))
+	}
+
+	return awsconfig.LoadDefaultConfig(ctx, loadOptions...)
+}
+
 func NewAWSCloud(region string, tags map[string]string) (AWSCloud, error) {
 	ctx := context.TODO()
 	raw := getCloudInstancesFromRegion(region)
@@ -274,29 +300,7 @@ func NewAWSCloud(region string, tags map[string]string) (AWSCloud, error) {
 			},
 		}
 
-		loadOptions := []func(*awsconfig.LoadOptions) error{
-			awsconfig.WithRegion(region),
-			awsconfig.WithClientLogMode(aws.LogRetries),
-			awsconfig.WithLogger(awsLogger{}),
-			awsconfig.WithRetryer(func() aws.Retryer {
-				return retry.NewStandard()
-			}),
-		}
-
-		// assumes the role before executing commands
-		roleARN := os.Getenv("KOPS_AWS_ROLE_ARN")
-		if roleARN != "" {
-			cfg, err := awsconfig.LoadDefaultConfig(ctx, loadOptions...)
-			if err != nil {
-				return c, fmt.Errorf("failed to load default aws config: %w", err)
-			}
-			stsClient := sts.NewFromConfig(cfg)
-			assumeRoleProvider := stscredsv2.NewAssumeRoleProvider(stsClient, roleARN)
-
-			loadOptions = append(loadOptions, awsconfig.WithCredentialsProvider(assumeRoleProvider))
-		}
-
-		cfg, err := awsconfig.LoadDefaultConfig(ctx, loadOptions...)
+		cfg, err := loadAWSConfig(ctx, region)
 		if err != nil {
 			return c, fmt.Errorf("failed to load default aws config: %w", err)
 		}

diff --git a/upup/pkg/fi/cloudup/awsup/aws_utils.go b/upup/pkg/fi/cloudup/awsup/aws_utils.go
@@ -27,7 +27,6 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsv2 "github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
-	awsconfig "github.com/aws/aws-sdk-go-v2/config"
 	autoscalingtypes "github.com/aws/aws-sdk-go-v2/service/autoscaling/types"
 	ec2 "github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
@@ -57,7 +56,7 @@ func ValidateRegion(ctx context.Context, region string) error {
 		if awsRegion == "" {
 			awsRegion = "us-east-1"
 		}
-		cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(awsRegion))
+		cfg, err := loadAWSConfig(ctx, awsRegion)
 		if err != nil {
 			return fmt.Errorf("error loading AWS config: %v", err)
 		}