From 58c6678b27d592e37d68788bc0e928500f26d760 Mon Sep 17 00:00:00 2001 From: "Marcelo E. Magallon" Date: Mon, 11 Oct 2021 15:53:02 -0600 Subject: [PATCH] Support loading the secret key from a file This is related to prometheus/prometheus#8551 Signed-off-by: Marcelo E. Magallon --- sigv4/go.mod | 2 +- sigv4/go.sum | 2 ++ sigv4/sigv4_config.go | 18 +++++++++++++----- sigv4/sigv4_config_test.go | 7 +++++-- sigv4/testdata/secret_key.txt | 1 + sigv4/testdata/sigv4_good_secret_key_file.yaml | 5 +++++ 6 files changed, 27 insertions(+), 8 deletions(-) create mode 100644 sigv4/testdata/secret_key.txt create mode 100644 sigv4/testdata/sigv4_good_secret_key_file.yaml diff --git a/sigv4/go.mod b/sigv4/go.mod index 60f8743b..eb0e25c3 100644 --- a/sigv4/go.mod +++ b/sigv4/go.mod @@ -5,7 +5,7 @@ go 1.15 require ( github.com/aws/aws-sdk-go v1.38.35 github.com/prometheus/client_golang v1.11.0 - github.com/prometheus/common v0.29.0 + github.com/prometheus/common v0.31.2-0.20211011203104-9789762a2ddb github.com/stretchr/testify v1.7.0 gopkg.in/yaml.v2 v2.4.0 ) diff --git a/sigv4/go.sum b/sigv4/go.sum index 3ac369f1..de114dfb 100644 --- a/sigv4/go.sum +++ b/sigv4/go.sum @@ -175,6 +175,8 @@ github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB8 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0 h1:3jqPBvKT4OHAbje2Ql7KeaaSicDBCxMYwEJU1zRJceE= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.31.2-0.20211011203104-9789762a2ddb h1:nDUL0g/BSYon1707Ums2YQG50fvMgV2D8otbQZHNnEs= +github.com/prometheus/common v0.31.2-0.20211011203104-9789762a2ddb/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= diff --git a/sigv4/sigv4_config.go b/sigv4/sigv4_config.go index 776fe764..ce589ba8 100644 --- a/sigv4/sigv4_config.go +++ b/sigv4/sigv4_config.go @@ -23,11 +23,12 @@ import ( // AWS's SigV4 verification process. Empty values will be retrieved using the // AWS default credentials chain. type SigV4Config struct { - Region string `yaml:"region,omitempty"` - AccessKey string `yaml:"access_key,omitempty"` - SecretKey config.Secret `yaml:"secret_key,omitempty"` - Profile string `yaml:"profile,omitempty"` - RoleARN string `yaml:"role_arn,omitempty"` + Region string `yaml:"region,omitempty"` + AccessKey string `yaml:"access_key,omitempty"` + SecretKey config.Secret `yaml:"secret_key,omitempty"` + SecretKeyFile string `yaml:"secret_key_file,omitempty"` + Profile string `yaml:"profile,omitempty"` + RoleARN string `yaml:"role_arn,omitempty"` } func (c *SigV4Config) Validate() error { @@ -43,5 +44,12 @@ func (c *SigV4Config) UnmarshalYAML(unmarshal func(interface{}) error) error { if err := unmarshal((*plain)(c)); err != nil { return err } + + if len(c.SecretKey) == 0 && len(c.SecretKeyFile) != 0 { + if err := c.SecretKey.LoadFromFile(c.SecretKeyFile); err != nil { + return fmt.Errorf("cannot read sigv4 secret key from %s: %w", c.SecretKeyFile, err) + } + } + return c.Validate() } diff --git a/sigv4/sigv4_config_test.go b/sigv4/sigv4_config_test.go index 9bcd5329..c764adf0 100644 --- a/sigv4/sigv4_config_test.go +++ b/sigv4/sigv4_config_test.go @@ -41,9 +41,12 @@ func testGoodConfig(t *testing.T, filename string) { } func TestGoodSigV4Configs(t *testing.T) { - filesToTest := []string{"testdata/sigv4_good.yaml", "testdata/sigv4_good.yaml"} + filesToTest := []string{"testdata/sigv4_good.yaml", "testdata/sigv4_good.yaml", "testdata/sigv4_good_secret_key_file.yaml"} + for _, filename := range filesToTest { - testGoodConfig(t, filename) + t.Run(filename, func(t *testing.T) { + testGoodConfig(t, filename) + }) } } diff --git a/sigv4/testdata/secret_key.txt b/sigv4/testdata/secret_key.txt new file mode 100644 index 00000000..052cb553 --- /dev/null +++ b/sigv4/testdata/secret_key.txt @@ -0,0 +1 @@ +SecretKey diff --git a/sigv4/testdata/sigv4_good_secret_key_file.yaml b/sigv4/testdata/sigv4_good_secret_key_file.yaml new file mode 100644 index 00000000..c7b95f42 --- /dev/null +++ b/sigv4/testdata/sigv4_good_secret_key_file.yaml @@ -0,0 +1,5 @@ +region: us-east-2 +access_key: AccessKey +secret_key_file: testdata/secret_key.txt +profile: profile +role_arn: blah:role/arn