gravitational · reedloden · Oct 11, 2022 · Oct 10, 2022 · Oct 5, 2022 · Oct 10, 2022
diff --git a/.drone.yml b/.drone.yml
diff --git a/build.assets/windows/build.ps1 b/build.assets/windows/build.ps1
@@ -169,22 +169,40 @@ function Format-FileHashes {
     }
 }
 
+function Save-Role {
+    <#
+    .SYNOPSIS
+        Assume an AWS role and save the session to the supplied file
+    #>
+    [CmdletBinding()]
+    param(
+        [string] $RoleArn,
+        [string] $RoleSessionName,
+        [string] $FilePath
+    )
+    begin {
+        $RoleCreds = (Use-STSRole -RoleArn $RoleArn -RoleSessionName $RoleSessionName).Credentials
+        "[default]`r`naws_access_key_id = {0}`r`naws_secret_access_key = {1}`r`naws_session_token = {2}" -f $RoleCreds.AccessKeyId, $RoleCreds.SecretAccessKey, $RoleCreds.SessionToken | Out-File -FilePath $FilePath
+    }
+}
+
 function Copy-Artifacts {
     <#
     .SYNOPSIS
         Copies all files in the supplied directory into an S3 bucket
     #>
     [CmdletBinding()]
     param(
+        [string] $ProfileLocation,
         [string] $Path,
         [string] $Bucket,
-        [string] $DstRoot 
+        [string] $DstRoot
     )
     begin {
         foreach ($file in $(Get-ChildItem $Path)) {
             Write-Output "Uploading $($file.Name)"
             $Key = "$DstRoot/$($file.Name)"
-            Write-S3Object -File $file.FullName -Bucket $Bucket -Key $Key 
+            Write-S3Object -ProfileLocation $ProfileLocation -File $file.FullName -Bucket $Bucket -Key $Key
         }
     }
 }

diff --git a/dronegen/apt.go b/dronegen/apt.go
@@ -30,10 +30,11 @@ func getAptPipelineBuilder() *OsPackageToolPipelineBuilder {
 		"drone-s3-aptrepo-pvc",
 		"deb",
 		"apt",
-		NewRepoBucketSecretNames(
+		NewRepoBucketSecrets(
 			"APT_REPO_NEW_AWS_S3_BUCKET",
 			"APT_REPO_NEW_AWS_ACCESS_KEY_ID",
 			"APT_REPO_NEW_AWS_SECRET_ACCESS_KEY",
+			"APT_REPO_NEW_AWS_ROLE",
 		),
 	)
 

diff --git a/dronegen/aws.go b/dronegen/aws.go
@@ -0,0 +1,112 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import "path/filepath"
+
+// awsRoleSettings contains the information necessary to assume an AWS Role
+//
+// This is intended to be imbedded, please use the kubernetes/mac/windows versions
+// with their corresponding pipelines.
+type awsRoleSettings struct {
+	awsAccessKeyID     value
+	awsSecretAccessKey value
+	role               value
+}
+
+// kubernetesRoleSettings contains the info necessary to assume an AWS role and save the credentials to a volume that later steps can use
+type kubernetesRoleSettings struct {
+	awsRoleSettings
+	configVolume volumeRef
+}
+
+// macRoleSettings contains the info necessary to assume an AWS role and save the credentials to a path that later steps can use
+type macRoleSettings struct {
+	awsRoleSettings
+	configPath string
+}
+
+// kuberentesS3Settings contains all info needed to download from S3 in a kubernetes pipeline
+type kubernetesS3Settings struct {
+	region       string
+	source       string
+	target       string
+	configVolume volumeRef
+}
+
+// assumeRoleCommands is a helper to build the role assumtipn commands on a *nix platform
+func assumeRoleCommands(configPath string) []string {
+	assumeRoleCmd := `printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \
+  $(aws sts assume-role \
+    --role-arn "$AWS_ROLE" \
+    --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
+    --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+    --output text) \
+  > ` + configPath
+	return []string{
+		`aws sts get-caller-identity`, // check the original identity
+		assumeRoleCmd,
+		`unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY`, // remove original identity from environment
+		`aws sts get-caller-identity`,                   // check the new assumed identity
+	}
+
+}
+
+// kubernetesAssumeAwsRoleStep builds a step to assume an AWS role and save it to a volume that later steps can use
+func kubernetesAssumeAwsRoleStep(s kubernetesRoleSettings) step {
+	configPath := filepath.Join(s.configVolume.Path, "credentials")
+	return step{
+		Name:  "Assume AWS Role",
+		Image: "amazon/aws-cli",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     s.awsAccessKeyID,
+			"AWS_SECRET_ACCESS_KEY": s.awsSecretAccessKey,
+			"AWS_ROLE":              s.role,
+		},
+		Volumes:  []volumeRef{s.configVolume},
+		Commands: assumeRoleCommands(configPath),
+	}
+}
+
+// macAssumeAwsRoleStep builds a step to assume an AWS role and save it to a host path that later steps can use
+func macAssumeAwsRoleStep(s macRoleSettings) step {
+	return step{
+		Name: "Assume AWS Role",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":           s.awsAccessKeyID,
+			"AWS_SECRET_ACCESS_KEY":       s.awsSecretAccessKey,
+			"AWS_ROLE":                    s.role,
+			"AWS_SHARED_CREDENTIALS_FILE": value{raw: s.configPath},
+		},
+		Commands: assumeRoleCommands(s.configPath),
+	}
+}
+
+// kubernetesUploadToS3Step generates an S3 upload step
+func kubernetesUploadToS3Step(s kubernetesS3Settings) step {
+	return step{
+		Name:  "Upload to S3",
+		Image: "amazon/aws-cli",
+		Environment: map[string]value{
+			"AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"},
+			"AWS_REGION":    {raw: s.region},
+		},
+		Volumes: []volumeRef{s.configVolume},
+		Commands: []string{
+			`cd ` + s.source,
+			`aws s3 sync . s3://$AWS_S3_BUCKET/` + s.target,
+		},
+	}
+}
diff --git a/dronegen/buildbox.go b/dronegen/buildbox.go
@@ -54,7 +54,7 @@ func buildboxPipelineStep(buildboxName string, fips bool) step {
 			"PROD_AWS_ACCESS_KEY_ID":        {fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY"},
 			"PROD_AWS_SECRET_ACCESS_KEY":    {fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET"},
 		},
-		Volumes: dockerVolumeRefs(),
+		Volumes: []volumeRef{volumeRefDocker},
 		Commands: []string{
 			`apk add --no-cache make aws-cli`,
 			`chown -R $UID:$GID /go`,
@@ -90,7 +90,7 @@ func buildboxPipeline() pipeline {
 	// only on master for now; add the release branch name when forking a new release series.
 	p.Trigger = pushTriggerForBranch("master", "branch/*")
 	p.Workspace = workspace{Path: "/go/src/github.com/gravitational/teleport"}
-	p.Volumes = dockerVolumes()
+	p.Volumes = []volume{volumeDocker}
 	p.Services = []service{
 		dockerService(),
 	}

diff --git a/dronegen/common.go b/dronegen/common.go
@@ -56,6 +56,10 @@ var (
 		Name: "dockersock",
 		Temp: &volumeTemp{},
 	}
+	volumeRefDocker = volumeRef{
+		Name: "dockersock",
+		Path: "/var/run",
+	}
 	volumeTmpfs = volume{
 		Name: "tmpfs",
 		Temp: &volumeTemp{Medium: "memory"},
@@ -64,9 +68,13 @@ var (
 		Name: "tmpfs",
 		Path: "/tmpfs",
 	}
-	volumeRefDocker = volumeRef{
-		Name: "dockersock",
-		Path: "/var/run",
+	volumeAwsConfig = volume{
+		Name: "awsconfig",
+		Temp: &volumeTemp{},
+	}
+	volumeRefAwsConfig = volumeRef{
+		Name: "awsconfig",
+		Path: "/root/.aws",
 	}
 )
 
@@ -207,18 +215,6 @@ func dockerService(v ...volumeRef) service {
 	}
 }
 
-// dockerVolumes returns a slice of volumes
-// It includes the Docker socket volume by default, plus any extra volumes passed in
-func dockerVolumes(v ...volume) []volume {
-	return append(v, volumeDocker)
-}
-
-// dockerVolumeRefs returns a slice of volumeRefs
-// It includes the Docker socket volumeRef as a default, plus any extra volumeRefs passed in
-func dockerVolumeRefs(v ...volumeRef) []volumeRef {
-	return append(v, volumeRefDocker)
-}
-
 // releaseMakefileTarget gets the correct Makefile target for a given arch/fips/centos combo
 func releaseMakefileTarget(b buildType) string {
 	makefileTarget := fmt.Sprintf("release-%s", b.arch)
@@ -251,7 +247,7 @@ func waitForDockerStep() step {
 		Commands: []string{
 			`timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'`,
 		},
-		Volumes: dockerVolumeRefs(),
+		Volumes: []volumeRef{volumeRefDocker},
 	}
 }
 

diff --git a/dronegen/mac.go b/dronegen/mac.go
@@ -17,6 +17,7 @@ package main
 import (
 	"fmt"
 	"path"
+	"path/filepath"
 )
 
 const (
@@ -49,6 +50,7 @@ func darwinConnectDmgPipeline() pipeline {
 	artifactConfig := onlyConnectWithBundledTshApp
 
 	p := newDarwinPipeline("build-darwin-amd64-connect")
+	awsConfigPath := filepath.Join(p.Workspace.Path, "credentials")
 	p.Trigger = triggerTag
 	p.DependsOn = []string{"build-darwin-amd64-pkg-tsh"}
 	p.Steps = []step{
@@ -65,15 +67,22 @@ func darwinConnectDmgPipeline() pipeline {
 	p.Steps = append(p.Steps,
 		installToolchains(p.Workspace.Path, toolchainConfig)...)
 	p.Steps = append(p.Steps, []step{
+		macAssumeAwsRoleStep(macRoleSettings{
+			awsRoleSettings: awsRoleSettings{
+				awsAccessKeyID:     value{fromSecret: "AWS_ACCESS_KEY_ID"},
+				awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"},
+				role:               value{fromSecret: "AWS_ROLE"},
+			},
+			configPath: awsConfigPath,
+		}),
 		{
 			Name: "Download tsh.pkg artifact from S3",
 			Environment: map[string]value{
-				"AWS_REGION":            {raw: "us-west-2"},
-				"AWS_S3_BUCKET":         {fromSecret: "AWS_S3_BUCKET"},
-				"AWS_ACCESS_KEY_ID":     {fromSecret: "AWS_ACCESS_KEY_ID"},
-				"AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"},
-				"GITHUB_PRIVATE_KEY":    {fromSecret: "GITHUB_PRIVATE_KEY"},
-				"WORKSPACE_DIR":         {raw: p.Workspace.Path},
+				"AWS_REGION":                  {raw: "us-west-2"},
+				"AWS_S3_BUCKET":               {fromSecret: "AWS_S3_BUCKET"},
+				"GITHUB_PRIVATE_KEY":          {fromSecret: "GITHUB_PRIVATE_KEY"},
+				"WORKSPACE_DIR":               {raw: p.Workspace.Path},
+				"AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath},
 			},
 			Commands: darwinConnectDownloadArtifactCommands(),
 		},
@@ -88,11 +97,10 @@ func darwinConnectDmgPipeline() pipeline {
 		{
 			Name: "Upload to S3",
 			Environment: map[string]value{
-				"AWS_S3_BUCKET":         {fromSecret: "AWS_S3_BUCKET"},
-				"AWS_ACCESS_KEY_ID":     {fromSecret: "AWS_ACCESS_KEY_ID"},
-				"AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"},
-				"AWS_REGION":            {raw: "us-west-2"},
-				"WORKSPACE_DIR":         {raw: p.Workspace.Path},
+				"AWS_S3_BUCKET":               {fromSecret: "AWS_S3_BUCKET"},
+				"AWS_REGION":                  {raw: "us-west-2"},
+				"WORKSPACE_DIR":               {raw: p.Workspace.Path},
+				"AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath},
 			},
 			Commands: darwinUploadToS3Commands(),
 		},
@@ -173,6 +181,7 @@ func darwinTagPipeline() pipeline {
 	artifactConfig := onlyBinaries
 
 	p := newDarwinPipeline("build-darwin-amd64")
+	awsConfigPath := filepath.Join(p.Workspace.Path, "credentials")
 	p.Trigger = triggerTag
 	p.DependsOn = []string{tagCleanupPipelineName}
 	p.Steps = []step{
@@ -198,14 +207,21 @@ func darwinTagPipeline() pipeline {
 			},
 			Commands: darwinTagCopyPackageArtifactCommands(),
 		},
+		macAssumeAwsRoleStep(macRoleSettings{
+			awsRoleSettings: awsRoleSettings{
+				awsAccessKeyID:     value{fromSecret: "AWS_ACCESS_KEY_ID"},
+				awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"},
+				role:               value{fromSecret: "AWS_ROLE"},
+			},
+			configPath: awsConfigPath,
+		}),
 		{
 			Name: "Upload to S3",
 			Environment: map[string]value{
-				"AWS_S3_BUCKET":         {fromSecret: "AWS_S3_BUCKET"},
-				"AWS_ACCESS_KEY_ID":     {fromSecret: "AWS_ACCESS_KEY_ID"},
-				"AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"},
-				"AWS_REGION":            {raw: "us-west-2"},
-				"WORKSPACE_DIR":         {raw: p.Workspace.Path},
+				"AWS_S3_BUCKET":               {fromSecret: "AWS_S3_BUCKET"},
+				"AWS_REGION":                  {raw: "us-west-2"},
+				"WORKSPACE_DIR":               {raw: p.Workspace.Path},
+				"AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath},
 			},
 			Commands: darwinUploadToS3Commands(),
 		},

diff --git a/dronegen/mac_pkg.go b/dronegen/mac_pkg.go
@@ -28,6 +28,7 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific
 	artifactConfig := onlyBinaries
 
 	p := newDarwinPipeline(name)
+	awsConfigPath := filepath.Join(p.Workspace.Path, "credentials")
 	p.Trigger = triggerTag
 	p.DependsOn = []string{"build-darwin-amd64"}
 	p.Steps = []step{
@@ -40,15 +41,22 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific
 			},
 			Commands: darwinTagCheckoutCommands(artifactConfig),
 		},
+		macAssumeAwsRoleStep(macRoleSettings{
+			awsRoleSettings: awsRoleSettings{
+				awsAccessKeyID:     value{fromSecret: "AWS_ACCESS_KEY_ID"},
+				awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"},
+				role:               value{fromSecret: "AWS_ROLE"},
+			},
+			configPath: awsConfigPath,
+		}),
 		{
 			Name: "Download built tarball artifacts from S3",
 			Environment: map[string]value{
-				"AWS_REGION":            {raw: "us-west-2"},
-				"AWS_S3_BUCKET":         {fromSecret: "AWS_S3_BUCKET"},
-				"AWS_ACCESS_KEY_ID":     {fromSecret: "AWS_ACCESS_KEY_ID"},
-				"AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"},
-				"GITHUB_PRIVATE_KEY":    {fromSecret: "GITHUB_PRIVATE_KEY"},
-				"WORKSPACE_DIR":         {raw: p.Workspace.Path},
+				"AWS_REGION":                  {raw: "us-west-2"},
+				"AWS_S3_BUCKET":               {fromSecret: "AWS_S3_BUCKET"},
+				"AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath},
+				"GITHUB_PRIVATE_KEY":          {fromSecret: "GITHUB_PRIVATE_KEY"},
+				"WORKSPACE_DIR":               {raw: p.Workspace.Path},
 			},
 			Commands: darwinTagDownloadArtifactCommands(),
 		},
@@ -76,11 +84,10 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific
 		{
 			Name: "Upload to S3",
 			Environment: map[string]value{
-				"AWS_REGION":            {raw: "us-west-2"},
-				"AWS_S3_BUCKET":         {fromSecret: "AWS_S3_BUCKET"},
-				"AWS_ACCESS_KEY_ID":     {fromSecret: "AWS_ACCESS_KEY_ID"},
-				"AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"},
-				"WORKSPACE_DIR":         {raw: p.Workspace.Path},
+				"AWS_REGION":                  {raw: "us-west-2"},
+				"AWS_S3_BUCKET":               {fromSecret: "AWS_S3_BUCKET"},
+				"AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath},
+				"WORKSPACE_DIR":               {raw: p.Workspace.Path},
 			},
 			Commands: []string{
 				`set -u`,