Skip to content

Commit

Permalink
Provide possibility to assume AWS role (AWS STS)
Browse files Browse the repository at this point in the history
  • Loading branch information
bitpavel committed Mar 27, 2019
1 parent 7a1fa84 commit 4fe7e7e
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,7 @@ Check your CloudFormation console once more and validate that your stack as well

Argument | Environment variable | Default value | Description
---------|----------------------|---------------|------------
assume-role | AWS_ASSUME_ROLE | | Assume AWS role when defined. Useful for stacks in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123456789:role/cloudformation-operator`
capability | AWS_CAPABILITIES | | Enable specified capabilities for all stacks managed by the operator instance. Current parameter can be used multiple times. For example: `--capability CAPABILITY_NAMED_IAM --capability CAPABILITY_IAM`. Or with a line break when specifying as an environment variable: `AWS_CAPABILITIES=CAPABILITY_IAM$'\n'CAPABILITY_NAMED_IAM`
debug | DEBUG | | Enable debug logging.
dry-run | DRY_RUN | | If true, don't actually do anything.
Expand Down
22 changes: 19 additions & 3 deletions cmd/cloudformation-operator/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,16 @@ import (
sdkVersion "github.com/operator-framework/operator-sdk/version"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/cloudformation"
"github.com/aws/aws-sdk-go/service/cloudformation/cloudformationiface"
)

var (
namespace string
region string
assumeRole string
tags = new(map[string]string)
capabilities = []string{}
dryRun bool
Expand All @@ -30,6 +33,7 @@ var (
func init() {
kingpin.Flag("namespace", "The Kubernetes namespace to watch").Default("default").Envar("WATCH_NAMESPACE").StringVar(&namespace)
kingpin.Flag("region", "The AWS region to use").Envar("AWS_REGION").StringVar(&region)
kingpin.Flag("assume-role", "Assume AWS role when defined. Useful for stacks in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123456789:role/cloudformation-operator`").Envar("AWS_ASSUME_ROLE").StringVar(&assumeRole)
kingpin.Flag("capability", "The AWS CloudFormation capability to enable").Envar("AWS_CAPABILITIES").StringsVar(&capabilities)
kingpin.Flag("dry-run", "If true, don't actually do anything.").Envar("DRY_RUN").BoolVar(&dryRun)
kingpin.Flag("debug", "Enable debug logging.").Envar("DEBUG").BoolVar(&debug)
Expand Down Expand Up @@ -58,9 +62,21 @@ func main() {

printVersion()

client := cloudformation.New(session.New(), &aws.Config{
Region: aws.String(region),
})
var client cloudformationiface.CloudFormationAPI
sess := session.Must(session.NewSession())
logrus.Info(assumeRole)
if assumeRole != "" {
logrus.Info("run assume")
creds := stscreds.NewCredentials(sess, assumeRole)
client = cloudformation.New(sess, &aws.Config{
Credentials: creds,
Region: aws.String(region),
})
} else {
client = cloudformation.New(sess, &aws.Config{
Region: aws.String(region),
})
}

sdk.Watch("cloudformation.linki.space/v1alpha1", "Stack", namespace, 0)
sdk.Handle(stub.NewHandler(client, capabilities, *tags, dryRun))
Expand Down

0 comments on commit 4fe7e7e

Please sign in to comment.