fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! General improvements

This commit is contained in:
2025-01-10 14:29:05 +00:00
parent d73e9067ba
commit 39a9d07107
3 changed files with 48 additions and 17 deletions
+2 -2
View File
@@ -10,9 +10,9 @@ description: |
type: application type: application
version: 0.2.38 version: 0.2.39
appVersion: "0.2.38" appVersion: "0.2.39"
home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator
+1 -1
View File
@@ -12,7 +12,7 @@ sa:
- ALL - ALL
image: image:
repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
tag: 0.2.38 tag: 0.2.39
resources: resources:
limits: limits:
cpu: 500m cpu: 500m
+45 -14
View File
@@ -63,24 +63,55 @@ def get_s3_client(use_role=False, role_name=None, use_current_role=False, aws_ac
# Use the current role (e.g., from Kubernetes service account) # Use the current role (e.g., from Kubernetes service account)
logger.info("Using current role from environment") logger.info("Using current role from environment")
try: try:
# Don't create an STS client or try to assume role, just use the web identity credentials directly # Import required components
session = boto3.Session() from botocore.session import Session
client = session.client('s3', **client_kwargs) import botocore.credentials
import json
# Log the identity for debugging but don't create a separate STS client # Get required environment variables
creds = session.get_credentials() token_file = os.environ.get('AWS_WEB_IDENTITY_TOKEN_FILE')
if creds: role_arn = os.environ.get('AWS_ROLE_ARN')
logger.info("Successfully obtained credentials from environment")
# Try to get the role ARN from environment for logging if not token_file or not role_arn:
role_arn = os.environ.get('AWS_ROLE_ARN') raise ValueError("AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN must be set")
if role_arn:
logger.info(f"Using role: {role_arn}") # Read the web identity token
with open(token_file, 'r') as f:
token = f.read().strip()
logger.info("Successfully read web identity token")
logger.info(f"Using role ARN: {role_arn}")
# Create an STS client with no credentials
sts = boto3.client('sts', region_name=region if region else None)
# Assume role with web identity
response = sts.assume_role_with_web_identity(
RoleArn=role_arn,
RoleSessionName=os.environ.get('AWS_ROLE_SESSION_NAME', 'WebIdentitySession'),
WebIdentityToken=token
)
# Get the temporary credentials
credentials = response['Credentials']
# Create the S3 client with the temporary credentials
client = boto3.client(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
**client_kwargs
)
logger.info(f"Successfully assumed role with web identity: {response['AssumedRoleUser']['Arn']}")
return client return client
except Exception as e: except Exception as e:
logger.error(f"Failed to use current role: {str(e)}") logger.error(f"Failed to use current role: {str(e)}")
logger.error("Environment variables:") logger.error("Current environment:")
for env_var in ['AWS_WEB_IDENTITY_TOKEN_FILE', 'AWS_ROLE_ARN', 'AWS_ROLE_SESSION_NAME']: for key, value in sorted(os.environ.items()):
logger.error(f"- {env_var}: {os.environ.get(env_var, 'not set')}") if any(k in key.lower() for k in ['aws', 'role', 'auth', 'token', 'credential']):
logger.error(f" {key}: {value}")
raise raise
else: else:
# Use default credentials (environment, instance profile, or pod service account) # Use default credentials (environment, instance profile, or pod service account)