Commit ba9aaa9c authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

fix: manage AWS_DEFAULT_ACCESS_KEY_ID & AWS_DEFAULT_SECRET_ACCESS_KEY as default

parent dde21627

app/main.py

+15 −11
Original line number Diff line number Diff line
@@ -25,7 +25,11 @@ def configure_boto(env_ctx: str = None, region: str = None, role_arn: str = None 


    # set region

    if region is None:

        region = get_var(env_ctx, "REGION") or get_var(env_ctx, "DEFAULT_REGION")

        region = (

            getenv_cleared(f"AWS_{env_ctx}_REGION")

            or getenv_cleared("AWS_REGION")

            or getenv_cleared("AWS_DEFAULT_REGION")

        )

    if not region:

        logger.error("AWS region not found")

        raise HTTPException(status_code=400, detail="AWS region not found")
@@ -34,7 +38,9 @@ def configure_boto(env_ctx: str = None, region: str = None, role_arn: str = None 
    # determine auth method

    jwt_token = os.environ.get("AWS_JWT")

    if role_arn is None:

        role_arn = get_var(env_ctx, "OIDC_ROLE_ARN")

        role_arn = getenv_cleared(f"AWS_{env_ctx}_OIDC_ROLE_ARN") or getenv_cleared(

            "AWS_OIDC_ROLE_ARN"

        )

    if jwt_token and role_arn:

        # Assume Role with Web Identity Provider

        # see: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#assume-role-with-web-identity-provider
@@ -51,8 +57,12 @@ def configure_boto(env_ctx: str = None, region: str = None, role_arn: str = None 
        ] = f"GitLabRunner-{os.getenv('CI_PROJECT_ID')}-{os.getenv('CI_PIPELINE_ID')}"

        return



    access_key_id = get_var(env_ctx, "ACCESS_KEY_ID")

    secret_access_key = get_var(env_ctx, "SECRET_ACCESS_KEY")

    access_key_id = getenv_cleared(f"AWS_{env_ctx}_ACCESS_KEY_ID") or getenv_cleared(

        "AWS_DEFAULT_ACCESS_KEY_ID"

    )

    secret_access_key = getenv_cleared(

        f"AWS_{env_ctx}_SECRET_ACCESS_KEY"

    ) or getenv_cleared("AWS_DEFAULT_SECRET_ACCESS_KEY")

    if access_key_id and secret_access_key:

        # see: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#environment-variables

        logger.info("Auth method: basic (access key ID & secret access key)")
@@ -86,17 +96,11 @@ def guess_env_ctx() -> str: 
    return "REVIEW"





def get_var(env_ctx: str, var_suffix: str) -> Optional[str]:

    return getenv_checked(f"AWS_{env_ctx}_{var_suffix}") or getenv_checked(

        f"AWS_{var_suffix}"

    )





# Workaround the GitLab bug with forced exposed variables:

# variables:

#   SOMEVAR: "$SOMEVAR"

# os.getenv("SOMEVAR") may have value '$SOMEVAR' if the variable is not defined as a project variable

def getenv_checked(name: str) -> Optional[str]:

def getenv_cleared(name: str) -> Optional[str]:

    value = os.getenv(name)

    return None if value == f"${name}" else value