Skip to content

Commit 29fde48

Browse files
authored
Merge pull request #7 from ApplauseOSS/banka/support-assume-role
Add assume-role support
2 parents 9dfaa05 + 21845a4 commit 29fde48

File tree

5 files changed

+20
-6
lines changed

5 files changed

+20
-6
lines changed

README.md

+6
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,9 @@ It can also take an optional flag to control the number of parallel workers:
2525
```bash
2626
$ decrypt-and-start -p 20 -- some other program
2727
```
28+
29+
Tool can also assume other role for kms access
30+
31+
```bash
32+
$ decrypt-and-start --assume-role arn:aws:iam::XXXXXXXXX:role/YYYY some other program
33+
```

VERSION

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.3.0
1+
0.4.0

decrypt-and-start.go

+3-1
Original file line numberDiff line numberDiff line change
@@ -28,10 +28,12 @@ func Exec() {
2828

2929
func main() {
3030
var workerCount int
31+
var assumedRole string
3132
flag.IntVar(&workerCount, "p", 10, "number of parallel workers (defaults to 10)")
33+
flag.StringVar(&assumedRole, "assume-role", "", "Arn of role to assume for variables decryption")
3234
flag.Parse()
3335
workerPool := lib.NewWorkerPool(workerCount)
34-
workerPool.Start()
36+
workerPool.Start(assumedRole)
3537
// Put encrypted env vars in queue for workers to process
3638
go func() {
3739
for _, e := range os.Environ() {

lib/aws_encryption_sdk/kms_helper.go

+8-2
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"encoding/binary"
88
"errors"
99
"github.com/aws/aws-sdk-go/aws"
10+
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
1011
"github.com/aws/aws-sdk-go/aws/session"
1112
"github.com/aws/aws-sdk-go/service/kms"
1213
"golang.org/x/crypto/hkdf"
@@ -17,12 +18,17 @@ type KmsHelper struct {
1718
client *kms.KMS
1819
}
1920

20-
func NewKmsHelper(region string) *KmsHelper {
21+
func NewKmsHelper(region string, assumedRole string) *KmsHelper {
2122
k := &KmsHelper{}
2223
// Set up AWS KMS session
2324
conf := aws.NewConfig().WithRegion(region)
2425
sess := session.Must(session.NewSession(conf))
25-
k.client = kms.New(sess)
26+
if assumedRole != "" {
27+
creds := stscreds.NewCredentials(sess, assumedRole)
28+
k.client = kms.New(sess, &aws.Config{Credentials: creds})
29+
} else {
30+
k.client = kms.New(sess)
31+
}
2632
return k
2733
}
2834

lib/worker.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,10 @@ func NewWorkerPool(count int) *WorkerPool {
2727
return w
2828
}
2929

30-
func (w *WorkerPool) Start() {
30+
func (w *WorkerPool) Start(assumedRole string) {
3131
for i := 0; i < w.workerCount; i++ {
3232
go func() {
33-
kmsHelper := enc_sdk.NewKmsHelper(GetRegion())
33+
kmsHelper := enc_sdk.NewKmsHelper(GetRegion(), assumedRole)
3434
for {
3535
env, ok := <-w.InChan
3636
if env != nil {

0 commit comments

Comments
 (0)