Mirrors/trufflehog
2
0
Fork 0
mirror of https://github.com/trufflesecurity/trufflehog.git synced 2024-11-10 15:14:38 +00:00
Code Issues Projects Releases Packages Wiki Activity

Use S3 credentials waterfall (#1823)

Browse source 
This PR updates the S3 source to use explicitly configured credentials if they're available and follow the normal AWS credentials waterfall if they're not. This is irrespective of whether role assumption is configured. This changes the previous behavior, which was to use waterfall credentials only if role assumption was configured and explicitly configured credentials only when it was not.
This commit is contained in:
Cody Rose 2023-09-27 16:57:47 -04:00 committed by GitHub
parent 699547b7d3
commit e9efed85c2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
pkg/sources/s3/s3.go
View file

@ -130,7 +130,6 @@ func (s *Source) newClient(region, roleArn string) (*s3.S3, error) {
cfg.CredentialsChainVerboseErrors = aws.Bool(true)
cfg.Region = aws.String(region)
if roleArn == "" {
switch cred := s.conn.GetCredential().(type) {
case *sourcespb.S3_SessionToken:
cfg.Credentials = credentials.NewStaticCredentials(cred.SessionToken.Key, cred.SessionToken.Secret, cred.SessionToken.SessionToken)
@ -138,12 +137,12 @@ func (s *Source) newClient(region, roleArn string) (*s3.S3, error) {
cfg.Credentials = credentials.NewStaticCredentials(cred.AccessKey.Key, cred.AccessKey.Secret, "")
case *sourcespb.S3_Unauthenticated:
cfg.Credentials = credentials.AnonymousCredentials
case *sourcespb.S3_CloudEnvironment:
// Nothing needs to be done!
default:
return nil, errors.Errorf("invalid configuration given for %s source", s.name)
// In all other cases, the AWS SDK will follow its normal waterfall logic to pick up credentials (i.e. they can
// come from the environment or the credentials file or whatever else AWS gets up to).
}
} else {
if roleArn != "" {
sess, err := session.NewSession(cfg)
if err != nil {
return nil, err

7
pkg/sources/s3/s3_integration_test.go
View file

@ -141,14 +141,11 @@ func TestSource_Validate(t *testing.T) {
var cancelOnce sync.Once
defer cancelOnce.Do(cancel)
// These are used by the tests that assume roles
t.Setenv("AWS_ACCESS_KEY_ID", s3key)
t.Setenv("AWS_SECRET_ACCESS_KEY", s3secret)
s := &Source{}
// As of this writing, credentials set in the environment or the on-disk credentials file also work, but I
// couldn't figure out how to write automated tests for those cases that weren't ugly as sin.
conn, err := anypb.New(&sourcespb.S3{
// These are used by the tests that don't assume roles
Credential: &sourcespb.S3_AccessKey{
AccessKey: &credentialspb.KeySecret{
Key: s3key,