mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-09-20 14:42:03 +00:00
Use S3 credentials waterfall (#1823)
This PR updates the S3 source to use explicitly configured credentials if they're available and follow the normal AWS credentials waterfall if they're not. This is irrespective of whether role assumption is configured. This changes the previous behavior, which was to use waterfall credentials only if role assumption was configured and explicitly configured credentials only when it was not.
This commit is contained in:
Cody Rose
GitHub
parent
699547b7d3
commit
e9efed85c2
2 changed files with 15 additions and 19 deletions
|
|
@ -130,20 +130,19 @@ func (s *Source) newClient(region, roleArn string) (*s3.S3, error) {
|
||||||
cfg.CredentialsChainVerboseErrors = aws.Bool(true)
|
cfg.CredentialsChainVerboseErrors = aws.Bool(true)
|
||||||
cfg.Region = aws.String(region)
|
cfg.Region = aws.String(region)
|
||||||
|
|
||||||
if roleArn == "" {
|
switch cred := s.conn.GetCredential().(type) {
|
||||||
switch cred := s.conn.GetCredential().(type) {
|
case *sourcespb.S3_SessionToken:
|
||||||
case *sourcespb.S3_SessionToken:
|
cfg.Credentials = credentials.NewStaticCredentials(cred.SessionToken.Key, cred.SessionToken.Secret, cred.SessionToken.SessionToken)
|
||||||
cfg.Credentials = credentials.NewStaticCredentials(cred.SessionToken.Key, cred.SessionToken.Secret, cred.SessionToken.SessionToken)
|
case *sourcespb.S3_AccessKey:
|
||||||
case *sourcespb.S3_AccessKey:
|
cfg.Credentials = credentials.NewStaticCredentials(cred.AccessKey.Key, cred.AccessKey.Secret, "")
|
||||||
cfg.Credentials = credentials.NewStaticCredentials(cred.AccessKey.Key, cred.AccessKey.Secret, "")
|
case *sourcespb.S3_Unauthenticated:
|
||||||
case *sourcespb.S3_Unauthenticated:
|
cfg.Credentials = credentials.AnonymousCredentials
|
||||||
cfg.Credentials = credentials.AnonymousCredentials
|
default:
|
||||||
case *sourcespb.S3_CloudEnvironment:
|
// In all other cases, the AWS SDK will follow its normal waterfall logic to pick up credentials (i.e. they can
|
||||||
// Nothing needs to be done!
|
// come from the environment or the credentials file or whatever else AWS gets up to).
|
||||||
default:
|
}
|
||||||
return nil, errors.Errorf("invalid configuration given for %s source", s.name)
|
|
||||||
}
|
if roleArn != "" {
|
||||||
} else {
|
|
||||||
sess, err := session.NewSession(cfg)
|
sess, err := session.NewSession(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
||||||
|
|
@ -141,14 +141,11 @@ func TestSource_Validate(t *testing.T) {
|
||||||
var cancelOnce sync.Once
|
var cancelOnce sync.Once
|
||||||
defer cancelOnce.Do(cancel)
|
defer cancelOnce.Do(cancel)
|
||||||
|
|
||||||
// These are used by the tests that assume roles
|
|
||||||
t.Setenv("AWS_ACCESS_KEY_ID", s3key)
|
|
||||||
t.Setenv("AWS_SECRET_ACCESS_KEY", s3secret)
|
|
||||||
|
|
||||||
s := &Source{}
|
s := &Source{}
|
||||||
|
|
||||||
|
// As of this writing, credentials set in the environment or the on-disk credentials file also work, but I
|
||||||
|
// couldn't figure out how to write automated tests for those cases that weren't ugly as sin.
|
||||||
conn, err := anypb.New(&sourcespb.S3{
|
conn, err := anypb.New(&sourcespb.S3{
|
||||||
// These are used by the tests that don't assume roles
|
|
||||||
Credential: &sourcespb.S3_AccessKey{
|
Credential: &sourcespb.S3_AccessKey{
|
||||||
AccessKey: &credentialspb.KeySecret{
|
AccessKey: &credentialspb.KeySecret{
|
||||||
Key: s3key,
|
Key: s3key,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue