Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

feat: implement IAM authentication with assumeRoleWithWebIdentityCredentialProvider #118

Merged
merged 1 commit into from
Jul 20, 2021
Merged

feat: implement IAM authentication with assumeRoleWithWebIdentityCredentialProvider #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,7 @@ This plugin can use the AWS Rekognition service to detect faces in an image and
:warning: ️Using this will incur extra cost for each upload

:warning: ️Using this requires the <code>rekognition:DetectFaces</code> action to be allowed.

### Assuming Role with OIDC

This plugin also has the ability to assume a role provided to the runtime with the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables. If you provide no credentials to AWS and these environment variables exist, then the plugin will attempt to create a connection to AWS using the `CredentialProvider::assumeRoleWithWebIdentityCredentialProvider`. This is the ideal way to allow fine-grained access control for hosting CraftCMS in Kubernetes (for example). See [the IAM documentation on AWS for more details](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html).
13 changes: 13 additions & 0 deletions src/Volume.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
use Aws\CloudFront\CloudFrontClient;
use Aws\CloudFront\Exception\CloudFrontException;
use Aws\Credentials\Credentials;
use Aws\Credentials\CredentialProvider;
use Aws\Handler\GuzzleV6\GuzzleHandler;
use Aws\Rekognition\RekognitionClient;
use Aws\S3\Exception\S3Exception;
Expand Down Expand Up @@ -299,6 +300,18 @@ protected static function client(array $config = [], array $credentials = []): S
return call_user_func_array(self::class . '::buildConfigArray', $args);
};
}
else if (!empty(Craft::parseEnv("AWS_WEB_IDENTITY_TOKEN_FILE")) && !empty(Craft::parseEnv("AWS_ROLE_ARN"))) {
// Our instance/pod/task has a web identity configured, so we should use that
// Pretty much just lifted this from: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_provider.html#assume-role-with-web-identity-provider
$provider = CredentialProvider::assumeRoleWithWebIdentityCredentialProvider();
$provider = CredentialProvider::memoize($provider);
// Probably not the idiomatic approach relative to existing codebase, but we can just return the config array
$config = [
'region' => $credentials['region'],
'version' => 'latest',
'credentials' => $provider
];
}

return new S3Client($config);
}
Expand Down