Resolve #1167 by adding support for the AWS_SESSION_TOKEN (#1170)

* Resolve #1167 by adding support for the AWS_SESSION_TOKEN environment variable and adding a --session-token cli arg

* fix error message

---------

Co-authored-by: Dustin Decker <dustin@trufflesec.com>

main.go

@@ -99,11 +99,12 @@ var (
 	filesystemScanIncludePaths = filesystemScan.Flag("include-paths", "Path to file with newline separated regexes for files to include in scan.").Short('i').String()
 	filesystemScanExcludePaths = filesystemScan.Flag("exclude-paths", "Path to file with newline separated regexes for files to exclude in scan.").Short('x').String()
 
-	s3Scan         = cli.Command("s3", "Find credentials in S3 buckets.")
-	s3ScanKey      = s3Scan.Flag("key", "S3 key used to authenticate. Can be provided with environment variable AWS_ACCESS_KEY_ID.").Envar("AWS_ACCESS_KEY_ID").String()
-	s3ScanSecret   = s3Scan.Flag("secret", "S3 secret used to authenticate. Can be provided with environment variable AWS_SECRET_ACCESS_KEY.").Envar("AWS_SECRET_ACCESS_KEY").String()
-	s3ScanCloudEnv = s3Scan.Flag("cloud-environment", "Use IAM credentials in cloud environment.").Bool()
-	s3ScanBuckets  = s3Scan.Flag("bucket", "Name of S3 bucket to scan. You can repeat this flag.").Strings()
+	s3Scan             = cli.Command("s3", "Find credentials in S3 buckets.")
+	s3ScanKey          = s3Scan.Flag("key", "S3 key used to authenticate. Can be provided with environment variable AWS_ACCESS_KEY_ID.").Envar("AWS_ACCESS_KEY_ID").String()
+	s3ScanSecret       = s3Scan.Flag("secret", "S3 secret used to authenticate. Can be provided with environment variable AWS_SECRET_ACCESS_KEY.").Envar("AWS_SECRET_ACCESS_KEY").String()
+	s3ScanSessionToken = s3Scan.Flag("session-token", "S3 session token used to authenticate temporary credentials. Can be provided with environment variable AWS_SESSION_TOKEN.").Envar("AWS_SESSION_TOKEN").String()
+	s3ScanCloudEnv     = s3Scan.Flag("cloud-environment", "Use IAM credentials in cloud environment.").Bool()
+	s3ScanBuckets      = s3Scan.Flag("bucket", "Name of S3 bucket to scan. You can repeat this flag.").Strings()
 
 	gcsScan           = cli.Command("gcs", "Find credentials in GCS buckets.")
 	gcsProjectID      = gcsScan.Flag("project-id", "GCS project ID used to authenticate. Can NOT be used with unauth scan. Can be provided with environment variable GOOGLE_CLOUD_PROJECT.").Envar("GOOGLE_CLOUD_PROJECT").String()
@@ -382,10 +383,11 @@ func run(state overseer.State) {
 		}
 	case s3Scan.FullCommand():
 		cfg := sources.S3Config{
-			Key:       *s3ScanKey,
-			Secret:    *s3ScanSecret,
-			Buckets:   *s3ScanBuckets,
-			CloudCred: *s3ScanCloudEnv,
+			Key:          *s3ScanKey,
+			Secret:       *s3ScanSecret,
+			SessionToken: *s3ScanSessionToken,
+			Buckets:      *s3ScanBuckets,
+			CloudCred:    *s3ScanCloudEnv,
 		}
 		if err := e.ScanS3(ctx, cfg); err != nil {
 			logFatal(err, "Failed to scan S3.")

pkg/engine/s3.go

@@ -22,17 +22,27 @@ func (e *Engine) ScanS3(ctx context.Context, c sources.S3Config) error {
 		Credential: &sourcespb.S3_Unauthenticated{},
 	}
 	if c.CloudCred {
-		if len(c.Key) > 0 || len(c.Secret) > 0 {
-			return fmt.Errorf("cannot use cloud credentials and basic auth together")
+		if len(c.Key) > 0 || len(c.Secret) > 0 || len(c.SessionToken) > 0 {
+			return fmt.Errorf("cannot use cloud environment and static credentials together")
 		}
 		connection.Credential = &sourcespb.S3_CloudEnvironment{}
 	}
 	if len(c.Key) > 0 && len(c.Secret) > 0 {
-		connection.Credential = &sourcespb.S3_AccessKey{
-			AccessKey: &credentialspb.KeySecret{
-				Key:    c.Key,
-				Secret: c.Secret,
-			},
+		if len(c.SessionToken) > 0 {
+			connection.Credential = &sourcespb.S3_SessionToken{
+				SessionToken: &credentialspb.AWSSessionTokenSecret{
+					Key:          c.Key,
+					Secret:       c.Secret,
+					SessionToken: c.SessionToken,
+				},
+			}
+		} else {
+			connection.Credential = &sourcespb.S3_AccessKey{
+				AccessKey: &credentialspb.KeySecret{
+					Key:    c.Key,
+					Secret: c.Secret,
+				},
+			}
 		}
 	}
 	if len(c.Buckets) > 0 {