Support loading the secret key from a file

sigv4/go.mod

@@ -5,7 +5,7 @@ go 1.15
 require (
 	github.com/aws/aws-sdk-go v1.38.35
 	github.com/prometheus/client_golang v1.11.0
-	github.com/prometheus/common v0.29.0
+	github.com/prometheus/common v0.31.2-0.20211011203104-9789762a2ddb
 	github.com/stretchr/testify v1.7.0
 	gopkg.in/yaml.v2 v2.4.0
 )

sigv4/go.sum

@@ -175,6 +175,8 @@ github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB8
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.29.0 h1:3jqPBvKT4OHAbje2Ql7KeaaSicDBCxMYwEJU1zRJceE=
 github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
+github.com/prometheus/common v0.31.2-0.20211011203104-9789762a2ddb h1:nDUL0g/BSYon1707Ums2YQG50fvMgV2D8otbQZHNnEs=
+github.com/prometheus/common v0.31.2-0.20211011203104-9789762a2ddb/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=

sigv4/sigv4_config.go

@@ -23,11 +23,12 @@ import (
 // AWS's SigV4 verification process. Empty values will be retrieved using the
 // AWS default credentials chain.
 type SigV4Config struct {
-	Region    string        `yaml:"region,omitempty"`
-	AccessKey string        `yaml:"access_key,omitempty"`
-	SecretKey config.Secret `yaml:"secret_key,omitempty"`
-	Profile   string        `yaml:"profile,omitempty"`
-	RoleARN   string        `yaml:"role_arn,omitempty"`
+	Region        string        `yaml:"region,omitempty"`
+	AccessKey     string        `yaml:"access_key,omitempty"`
+	SecretKey     config.Secret `yaml:"secret_key,omitempty"`
+	SecretKeyFile string        `yaml:"secret_key_file,omitempty"`
+	Profile       string        `yaml:"profile,omitempty"`
+	RoleARN       string        `yaml:"role_arn,omitempty"`
 }
 
 func (c *SigV4Config) Validate() error {
@@ -43,5 +44,12 @@ func (c *SigV4Config) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	if err := unmarshal((*plain)(c)); err != nil {
 		return err
 	}
+
+	if len(c.SecretKey) == 0 && len(c.SecretKeyFile) != 0 {
+		if err := c.SecretKey.LoadFromFile(c.SecretKeyFile); err != nil {
+			return fmt.Errorf("cannot read sigv4 secret key from %s: %w", c.SecretKeyFile, err)
+		}
+	}
+
 	return c.Validate()
 }

sigv4/sigv4_config_test.go

@@ -41,9 +41,12 @@ func testGoodConfig(t *testing.T, filename string) {
 }
 
 func TestGoodSigV4Configs(t *testing.T) {
-	filesToTest := []string{"testdata/sigv4_good.yaml", "testdata/sigv4_good.yaml"}
+	filesToTest := []string{"testdata/sigv4_good.yaml", "testdata/sigv4_good.yaml", "testdata/sigv4_good_secret_key_file.yaml"}
+
 	for _, filename := range filesToTest {
-		testGoodConfig(t, filename)
+		t.Run(filename, func(t *testing.T) {
+			testGoodConfig(t, filename)
+		})
 	}
 }
 

sigv4/testdata/secret_key.txt

@@ -0,0 +1 @@
+SecretKey

sigv4/testdata/sigv4_good_secret_key_file.yaml

@@ -0,0 +1,5 @@
+region: us-east-2
+access_key: AccessKey
+secret_key_file: testdata/secret_key.txt
+profile: profile
+role_arn: blah:role/arn