upload/aws: add support for session tokens

If a user uses a temporary access key for login, a session token is also
needed.

This commit adds support for it to the internal aws library and also
to the osbuild-upload-aws helper. Note that this doesn't affect the main
osbuild-composer executable nor the worker. Everything here should work
as before and session tokens are not supported. Something for a follow up
if anyone needs it.

Signed-off-by: Ondřej Budai <ondrej@budai.cz>

cmd/osbuild-upload-aws/main.go

@@ -5,12 +5,14 @@ import (
 	"fmt"
 
 	"github.com/aws/aws-sdk-go/aws"
+
 	"github.com/osbuild/osbuild-composer/internal/upload/awsupload"
 )
 
 func main() {
 	var accessKeyID string
 	var secretAccessKey string
+	var sessionToken string
 	var region string
 	var bucketName string
 	var keyName string
@@ -20,6 +22,7 @@ func main() {
 	var arch string
 	flag.StringVar(&accessKeyID, "access-key-id", "", "access key ID")
 	flag.StringVar(&secretAccessKey, "secret-access-key", "", "secret access key")
+	flag.StringVar(&sessionToken, "session-token", "", "session token")
 	flag.StringVar(&region, "region", "", "target region")
 	flag.StringVar(&bucketName, "bucket", "", "target S3 bucket name")
 	flag.StringVar(&keyName, "key", "", "target S3 key name")
@@ -29,7 +32,7 @@ func main() {
 	flag.StringVar(&arch, "arch", "", "arch (x86_64 or aarch64)")
 	flag.Parse()
 
-	a, err := awsupload.New(region, accessKeyID, secretAccessKey)
+	a, err := awsupload.New(region, accessKeyID, secretAccessKey, sessionToken)
 	if err != nil {
 		println(err.Error())
 		return

cmd/osbuild-worker/jobimpl-osbuild.go

@@ -208,7 +208,7 @@ func (impl *OSBuildJobImpl) Run(job worker.Job) error {
 			osbuildJobResult.Success = true
 			osbuildJobResult.UploadStatus = "success"
 		case *target.AWSTargetOptions:
-			a, err := awsupload.New(options.Region, options.AccessKeyID, options.SecretAccessKey)
+			a, err := awsupload.New(options.Region, options.AccessKeyID, options.SecretAccessKey, "")
 			if err != nil {
 				appendTargetError(osbuildJobResult, err)
 				return nil
@@ -244,7 +244,7 @@ func (impl *OSBuildJobImpl) Run(job worker.Job) error {
 			osbuildJobResult.Success = true
 			osbuildJobResult.UploadStatus = "success"
 		case *target.AWSS3TargetOptions:
-			a, err := awsupload.New(options.Region, options.AccessKeyID, options.SecretAccessKey)
+			a, err := awsupload.New(options.Region, options.AccessKeyID, options.SecretAccessKey, "")
 			if err != nil {
 				appendTargetError(osbuildJobResult, err)
 				return nil

internal/boot/aws.go

@@ -13,6 +13,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
+
 	"github.com/osbuild/osbuild-composer/internal/common"
 	"github.com/osbuild/osbuild-composer/internal/upload/awsupload"
 )
@@ -89,7 +90,7 @@ func wrapErrorf(innerError error, format string, a ...interface{}) error {
 // The s3 key is never returned - the same thing is done in osbuild-composer,
 // the user has no way of getting the s3 key.
 func UploadImageToAWS(c *awsCredentials, imagePath string, imageName string) error {
-	uploader, err := awsupload.New(c.Region, c.AccessKeyId, c.SecretAccessKey)
+	uploader, err := awsupload.New(c.Region, c.AccessKeyId, c.SecretAccessKey, "")
 	if err != nil {
 		return fmt.Errorf("cannot create aws uploader: %v", err)
 	}

internal/upload/awsupload/awsupload.go

@@ -21,9 +21,9 @@ type AWS struct {
 	s3       *s3.S3
 }
 
-func New(region, accessKeyID, accessKey string) (*AWS, error) {
+func New(region, accessKeyID, accessKey, sessionToken string) (*AWS, error) {
 	// Session credentials
-	creds := credentials.NewStaticCredentials(accessKeyID, accessKey, "")
+	creds := credentials.NewStaticCredentials(accessKeyID, accessKey, sessionToken)
 
 	// Create a Session with a custom region
 	sess, err := session.NewSession(&aws.Config{