Merge pull request #10261 from tthvo/CORS-4055-cred-source

CORS-4055: migrate credential provider check to AWS SDK v2
2026-02-05 06:46:36 +01:00 · 2026-02-03 08:15:44 +00:00
parent 1a283806d7 d67b14e479
commit 9351917279
3 changed files with 30 additions and 23 deletions
--- a/pkg/asset/installconfig/aws/session.go
+++ b/pkg/asset/installconfig/aws/session.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strings"
 	"sync"

 	survey "github.com/AlecAivazis/survey/v2"
@@ -139,19 +138,6 @@ func getCredentialsFromSession(options session.Options) (*credentials.Credential
 	return creds, nil
 }

-// IsStaticCredentials returns whether the credentials value provider are
-// static credentials safe for installer to transfer to cluster for use as-is.
-func IsStaticCredentials(credsValue credentials.Value) bool {
-	switch credsValue.ProviderName {
-	case credentials.EnvProviderName, credentials.StaticProviderName, credentials.SharedCredsProviderName, session.EnvProviderName:
-		return credsValue.SessionToken == ""
-	}
-	if strings.HasPrefix(credsValue.ProviderName, "SharedConfigCredentials") {
-		return credsValue.SessionToken == ""
-	}
-	return false
-}
-
 // errCodeEquals returns true if the error matches all these conditions:
 //   - err is of type awserr.Error
 //   - Error.Code() equals code
--- a/pkg/asset/installconfig/aws/sessionv2.go
+++ b/pkg/asset/installconfig/aws/sessionv2.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"

@@ -35,6 +36,12 @@ const (

 	// RetryBackoffDuration is max duration between retried attempts.
 	RetryBackoffDuration = 300 * time.Second
+
+	// SharedCredsProviderName defines the source name of AWS credentials
+	// from a shared credential file.
+	// Note: The SDK does not expose any constants for this value so
+	// we define one here as a replacement.
+	SharedCredsProviderName = "SharedConfigCredentials" //nolint:gosec
 )

 var (
@@ -126,11 +133,21 @@ func getCredentialsV2(ctx context.Context, options ConfigOptions) (aws.Credentia
 	return creds, nil
 }

-// IsStaticCredentialsV2 returns whether the credentials value provider are
+// IsStaticCredentials returns whether the credentials value provider are
 // static credentials safe for installer to transfer to cluster for use as-is.
-// TODO: Remove suffix V2 when completing migration aws sdk v2 (i.e. removing session.go).
-func IsStaticCredentialsV2(creds aws.Credentials) bool {
-	if creds.Source == credentials.StaticCredentialsName {
+// Reference: https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials
+func IsStaticCredentials(creds aws.Credentials) bool {
+	switch creds.Source {
+	case
+		credentials.StaticCredentialsName, // Credentials explicitly created via credentials.NewStaticCredentialsProvider()
+		config.CredentialsSourceName:      // Credentials loaded from environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) - "EnvConfigCredentials"
+		return creds.SessionToken == ""
+	}
+
+	// Credentials loaded from ~/.aws/credentials or AWS_SHARED_CREDENTIALS_FILE
+	// When using shared credential file, the AWS SDK defines its credential source as "SharedConfigCredentials: FILENAME"
+	// Reference: https://github.com/aws/aws-sdk-go-v2/blob/de58dc6cdc4c35ac4687d53cff781a6027a0f52f/config/shared_config.go#L1173
+	if strings.HasPrefix(creds.Source, SharedCredsProviderName) {
 		return creds.SessionToken == ""
 	}
 	return false
--- a/pkg/asset/manifests/openshift.go
+++ b/pkg/asset/manifests/openshift.go
@@ -3,12 +3,14 @@ package manifests
 import (
 	"context"
 	"encoding/base64"
+	"fmt"
 	"os"
 	"path"
 	"path/filepath"
 	"strconv"
 	"strings"

+	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/gophercloud/utils/v2/openstack/clientconfig"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -91,20 +93,22 @@ func (o *Openshift) Generate(ctx context.Context, dependencies asset.Parents) er
 	platform := installConfig.Config.Platform.Name()
 	switch platform {
 	case awstypes.Name:
-		ssn, err := installConfig.AWS.Session(ctx)
+		awsconfig, err := installconfigaws.GetConfigWithOptions(ctx, config.WithRegion(installConfig.AWS.Region))
 		if err != nil {
 			return err
 		}
-		creds, err := ssn.Config.Credentials.Get()
+
+		creds, err := awsconfig.Credentials.Retrieve(ctx)
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to retrieve aws credentials: %w", err)
 		}
+
 		if !installconfigaws.IsStaticCredentials(creds) {
 			switch {
 			case installConfig.Config.CredentialsMode == "":
-				return errors.Errorf("AWS credentials provided by %s are not valid for default credentials mode", creds.ProviderName)
+				return errors.Errorf("AWS credentials provided by %s are not valid for default credentials mode", creds.Source)
 			case installConfig.Config.CredentialsMode != types.ManualCredentialsMode:
-				return errors.Errorf("AWS credentials provided by %s are not valid for %s credentials mode", creds.ProviderName, installConfig.Config.CredentialsMode)
+				return errors.Errorf("AWS credentials provided by %s are not valid for %s credentials mode", creds.Source, installConfig.Config.CredentialsMode)
 			}
 		}
 		cloudCreds = cloudCredsSecretData{