From 4fe7e7ed59cd33d4179fd60ca8b16fd96f055e5b Mon Sep 17 00:00:00 2001 From: Pavel Sinkevych Date: Wed, 27 Mar 2019 19:47:15 +0300 Subject: [PATCH] Provide possibility to assume AWS role (AWS STS) --- README.md | 1 + cmd/cloudformation-operator/main.go | 22 +++++++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ea0cc6a..4d3e056 100644 --- a/README.md +++ b/README.md @@ -289,6 +289,7 @@ Check your CloudFormation console once more and validate that your stack as well Argument | Environment variable | Default value | Description ---------|----------------------|---------------|------------ +assume-role | AWS_ASSUME_ROLE | | Assume AWS role when defined. Useful for stacks in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123456789:role/cloudformation-operator` capability | AWS_CAPABILITIES | | Enable specified capabilities for all stacks managed by the operator instance. Current parameter can be used multiple times. For example: `--capability CAPABILITY_NAMED_IAM --capability CAPABILITY_IAM`. Or with a line break when specifying as an environment variable: `AWS_CAPABILITIES=CAPABILITY_IAM$'\n'CAPABILITY_NAMED_IAM` debug | DEBUG | | Enable debug logging. dry-run | DRY_RUN | | If true, don't actually do anything. diff --git a/cmd/cloudformation-operator/main.go b/cmd/cloudformation-operator/main.go index 00ada3b..4bf5b12 100644 --- a/cmd/cloudformation-operator/main.go +++ b/cmd/cloudformation-operator/main.go @@ -13,13 +13,16 @@ import ( sdkVersion "github.com/operator-framework/operator-sdk/version" "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/cloudformation" + "github.com/aws/aws-sdk-go/service/cloudformation/cloudformationiface" ) var ( namespace string region string + assumeRole string tags = new(map[string]string) capabilities = []string{} dryRun bool @@ -30,6 +33,7 @@ var ( func init() { kingpin.Flag("namespace", "The Kubernetes namespace to watch").Default("default").Envar("WATCH_NAMESPACE").StringVar(&namespace) kingpin.Flag("region", "The AWS region to use").Envar("AWS_REGION").StringVar(®ion) + kingpin.Flag("assume-role", "Assume AWS role when defined. Useful for stacks in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123456789:role/cloudformation-operator`").Envar("AWS_ASSUME_ROLE").StringVar(&assumeRole) kingpin.Flag("capability", "The AWS CloudFormation capability to enable").Envar("AWS_CAPABILITIES").StringsVar(&capabilities) kingpin.Flag("dry-run", "If true, don't actually do anything.").Envar("DRY_RUN").BoolVar(&dryRun) kingpin.Flag("debug", "Enable debug logging.").Envar("DEBUG").BoolVar(&debug) @@ -58,9 +62,21 @@ func main() { printVersion() - client := cloudformation.New(session.New(), &aws.Config{ - Region: aws.String(region), - }) + var client cloudformationiface.CloudFormationAPI + sess := session.Must(session.NewSession()) + logrus.Info(assumeRole) + if assumeRole != "" { + logrus.Info("run assume") + creds := stscreds.NewCredentials(sess, assumeRole) + client = cloudformation.New(sess, &aws.Config{ + Credentials: creds, + Region: aws.String(region), + }) + } else { + client = cloudformation.New(sess, &aws.Config{ + Region: aws.String(region), + }) + } sdk.Watch("cloudformation.linki.space/v1alpha1", "Stack", namespace, 0) sdk.Handle(stub.NewHandler(client, capabilities, *tags, dryRun))