Skip to content

Commit

Permalink
Merge pull request #439 from Ompragash/patch-1
Browse files Browse the repository at this point in the history 
Added PLUGIN_OIDC_TOKEN_ID support
  • Loading branch information
@dgarg-harness
dgarg-harness authored Apr 24, 2024
2 parents a807dc9 + 12cc40a commit b009c71
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions cmd/drone-ecr/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ func main() {
assumeRole = getenv("PLUGIN_ASSUME_ROLE")
externalId = getenv("PLUGIN_EXTERNAL_ID")
scanOnPush = parseBoolOrDefault(false, getenv("PLUGIN_SCAN_ON_PUSH"))
idToken = os.Getenv("PLUGIN_OIDC_TOKEN_ID")
)

// set the region
Expand All @@ -61,7 +62,7 @@ func main() {
log.Fatal(fmt.Sprintf("error creating aws session: %v", err))
}

svc := getECRClient(sess, assumeRole, externalId)
svc := getECRClient(sess, assumeRole, externalId, idToken)
username, password, defaultRegistry, err := getAuthInfo(svc)

if registry == "" {
Expand Down Expand Up @@ -213,11 +214,15 @@ func getenv(key ...string) (s string) {
return
}

func getECRClient(sess *session.Session, role string, externalId string) *ecr.ECR {
func getECRClient(sess *session.Session, role string, externalId string, idToken string) *ecr.ECR {
if role == "" {
return ecr.New(sess)
}
if externalId != "" {
// Use STS AssumeRoleWithWebIdentity when idToken is provided
if idToken != "" {
creds := stscreds.NewWebIdentityCredentials(sess, role, "", idToken)
return ecr.New(sess, &aws.Config{Credentials: creds})
} else if externalId != "" {
return ecr.New(sess, &aws.Config{
Credentials: stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {
p.ExternalID = &externalId
Expand Down

0 comments on commit b009c71

Please sign in to comment.