auth-oci/aws.go at main · prefapp/auth-oci · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package main

import (
	"context"
	"encoding/base64"
	"fmt"
	"log"
	"os"
	"strings"

	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/ecr"
)

func loginAWS() RegistryAuth {

	if isGhRunner() {

		log.Printf("GitHub runner detected, using OIDC auth")

		prepareOidcEnvAws()

	} else {

		log.Printf("Skipping OIDC auth, not running in GitHub Runner")
	}

	cfg, err := config.LoadDefaultConfig(context.TODO())

	if err != nil {

		log.Fatalf("Failed to load AWS configuration: %v", err)

	}

	ecrClient := ecr.NewFromConfig(cfg)

	resp, err := ecrClient.GetAuthorizationToken(context.TODO(), &ecr.GetAuthorizationTokenInput{})

	if err != nil {
		panic(
			fmt.Sprintf(
				"Failed to get ECR authorization token: %v",
				err,
			),
		)
	}

	if len(resp.AuthorizationData) == 0 {
		panic("No authorization data returned by ECR")
	}

	authData := resp.AuthorizationData[0]

	decodedToken, err := base64.StdEncoding.DecodeString(*authData.AuthorizationToken)

	if err != nil {
		panic(fmt.Sprintf("Failed to decode authorization token: %v", err))
	}

	parts := strings.SplitN(string(decodedToken), ":", 2)

	if len(parts) != 2 {
		panic("Invalid authorization token format")
	}

	registryURL := *authData.ProxyEndpoint

	return RegistryAuth{
		Username: parts[0],
		Password: parts[1],
		Registry: registryURL,
	}
}

func prepareOidcEnvAws() {

	audience := "sts.amazonaws.com"

	tokenFile := "/tmp/awsjwt"

	token := getOIDCToken(audience)

	saveTokenToFile(tokenFile, token)

	os.Setenv("AWS_WEB_IDENTITY_TOKEN_FILE", tokenFile)

	roleArn := os.Getenv("AWS_ROLE_ARN")

	if roleArn == "" {
		log.Fatalf("AWS_ROLE_ARN is not set")
	}

	os.Setenv("AWS_ROLE_ARN", roleArn)
}