worker: Configure AWS credentials in the worker

2021-09-23 16:40:41 +02:00 · 2021-09-23 16:40:41 +02:00 · 010a1f5022
commit 010a1f5022
parent 7760ca1c92
4 changed files with 781 additions and 6 deletions
--- a/cmd/osbuild-worker/jobimpl-osbuild.go
+++ b/cmd/osbuild-worker/jobimpl-osbuild.go
@ -28,6 +28,7 @@ type OSBuildJobImpl struct {
 	KojiServers map[string]koji.GSSAPICredentials
 	GCPCreds    []byte
 	AzureCreds  *azure.Credentials
+	AWSCreds    string
 }

 func appendTargetError(res *worker.OSBuildJobResult, err error) {
@ -36,6 +37,17 @@ func appendTargetError(res *worker.OSBuildJobResult, err error) {
 	res.TargetErrors = append(res.TargetErrors, errStr)
 }

+// Returns an *awsupload.AWS object with the credentials of the request. If they
+// are not accessible, then try to use the one obtained in the worker
+// configuration.
+func (impl *OSBuildJobImpl) getAWS(region string, accessId string, secret string, token string) (*awsupload.AWS, error) {
+	if accessId != "" && secret != "" {
+		return awsupload.New(region, accessId, secret, token)
+	} else {
+		return awsupload.NewFromFile(impl.AWSCreds, region)
+	}
+}
+
 func (impl *OSBuildJobImpl) Run(job worker.Job) error {
 	// Initialize variable needed for reporting back to osbuild-composer.
 	var osbuildJobResult *worker.OSBuildJobResult = &worker.OSBuildJobResult{
@ -206,7 +218,7 @@ func (impl *OSBuildJobImpl) Run(job worker.Job) error {
 			osbuildJobResult.Success = true
 			osbuildJobResult.UploadStatus = "success"
 		case *target.AWSTargetOptions:
-			a, err := awsupload.New(options.Region, options.AccessKeyID, options.SecretAccessKey, options.SessionToken)
+			a, err := impl.getAWS(options.Region, options.AccessKeyID, options.SecretAccessKey, options.SessionToken)
 			if err != nil {
 				appendTargetError(osbuildJobResult, err)
 				return nil
@ -242,7 +254,7 @@ func (impl *OSBuildJobImpl) Run(job worker.Job) error {
 			osbuildJobResult.Success = true
 			osbuildJobResult.UploadStatus = "success"
 		case *target.AWSS3TargetOptions:
-			a, err := awsupload.New(options.Region, options.AccessKeyID, options.SecretAccessKey, options.SessionToken)
+			a, err := impl.getAWS(options.Region, options.AccessKeyID, options.SecretAccessKey, options.SessionToken)
 			if err != nil {
 				appendTargetError(osbuildJobResult, err)
 				return nil
--- a/cmd/osbuild-worker/main.go
+++ b/cmd/osbuild-worker/main.go
@ -97,6 +97,9 @@ func main() {
 		Azure *struct {
 			Credentials string `toml:"credentials"`
 		} `toml:"azure"`
+		AWS *struct {
+			Credentials string `toml:"credentials"`
+		} `toml:"aws"`
 		Authentication *struct {
 			OAuthURL         string `toml:"oauth_url"`
 			OfflineTokenPath string `toml:"offline_token"`
@ -232,6 +235,14 @@ func main() {
 		}
 	}

+	// If the credentials are not provided in the configuration, then the
+	// worker will look in $HOME/.aws/credentials or at the file pointed by
+	// the "AWS_SHARED_CREDENTIALS_FILE" variable.
+	var awsCredentials = ""
+	if config.AWS != nil {
+		awsCredentials = config.AWS.Credentials
+	}
+
 	jobImpls := map[string]JobImplementation{
 		"osbuild": &OSBuildJobImpl{
 			Store:       store,
@ -239,6 +250,7 @@ func main() {
 			KojiServers: kojiServers,
 			GCPCreds:    gcpCredentials,
 			AzureCreds:  azureCredentials,
+			AWSCreds:    awsCredentials,
 		},
 		"osbuild-koji": &OSBuildKojiJobImpl{
 			Store:       store,