Merge pull request #426 from christophe-scalepad/master

feat: Add option to automatically mount AWS auth tokens when using docker compose run command

Author: pzeballos

README.md

@@ -78,6 +78,14 @@ Whether or not to automatically propagate all pipeline environment variables int
 
 **Important**: only pipeline environment variables will be propagated (what you see in the BuildKite UI, those listed in `$BUILDKITE_ENV_FILE`). This does not include variables exported in preceeding `environment` hooks. If you wish for those to be propagated you will need to list them specifically or use `env-propagation-list`.
 
+### `propagate-aws-auth-tokens` (run only, boolean)
+
+Whether or not to automatically propagate aws authentication environment variables into the docker container. Avoiding the need to be specified with `environment`. This is useful for example if you are using an assume role plugin or you want to pass the role of an agent running in ECS or EKS to the docker container.
+
+Will propagate `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_DEFAULT_REGION`, `AWS_STS_REGIONAL_ENDPOINTS`, `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_ARN`, `AWS_CONTAINER_CREDENTIALS_FULL_URI`, `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`, and `AWS_CONTAINER_AUTHORIZATION_TOKEN`, only if they are set already.
+
+When the `AWS_WEB_IDENTITY_TOKEN_FILE` is specified, it will also mount it automatically for you and make it usable within the container.
+
 #### `command` (run only, array)
 
 Sets the command for the Docker image, and defaults the `shell` option to `false`. Useful if the Docker image has an entrypoint, or doesn't contain a shell.

commands/run.sh

@@ -112,6 +112,49 @@ if [[ "$(plugin_read_config PROPAGATE_ENVIRONMENT "false")" =~ ^(true|on|1)$ ]]
   fi
 fi
 
+# Propagate AWS credentials if requested
+if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$ ]] ; then
+  if [[ -n "${AWS_ACCESS_KEY_ID:-}" ]] ; then
+      run_params+=( --env "AWS_ACCESS_KEY_ID" )
+  fi
+  if [[ -n "${AWS_SECRET_ACCESS_KEY:-}" ]] ; then
+      run_params+=( --env "AWS_SECRET_ACCESS_KEY" )
+  fi
+  if [[ -n "${AWS_SESSION_TOKEN:-}" ]] ; then
+      run_params+=( --env "AWS_SESSION_TOKEN" )
+  fi
+  if [[ -n "${AWS_REGION:-}" ]] ; then
+      run_params+=( --env "AWS_REGION" )
+  fi
+  if [[ -n "${AWS_DEFAULT_REGION:-}" ]] ; then
+      run_params+=( --env "AWS_DEFAULT_REGION" )
+  fi
+  if [[ -n "${AWS_ROLE_ARN:-}" ]] ; then
+      run_params+=( --env "AWS_ROLE_ARN" )
+  fi
+  if [[ -n "${AWS_STS_REGIONAL_ENDPOINTS:-}" ]] ; then
+      run_params+=( --env "AWS_STS_REGIONAL_ENDPOINTS" )
+  fi
+  # Pass ECS variables when the agent is running in ECS
+  # https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
+  if [[ -n "${AWS_CONTAINER_CREDENTIALS_FULL_URI:-}" ]] ; then
+      run_params+=( --env "AWS_CONTAINER_CREDENTIALS_FULL_URI" )
+  fi
+  if [[ -n "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] ; then
+      run_params+=( --env "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" )
+  fi
+  if [[ -n "${AWS_CONTAINER_AUTHORIZATION_TOKEN:-}" ]] ; then
+      run_params+=( --env "AWS_CONTAINER_AUTHORIZATION_TOKEN" )
+  fi
+  # Pass EKS variables when the agent is running in EKS
+  # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html
+  if [[ -n "${AWS_WEB_IDENTITY_TOKEN_FILE:-}" ]] ; then
+      run_params+=( --env "AWS_WEB_IDENTITY_TOKEN_FILE" )
+      # Add the token file as a volume
+      run_params+=( --volume "${AWS_WEB_IDENTITY_TOKEN_FILE}:${AWS_WEB_IDENTITY_TOKEN_FILE}" )
+  fi
+fi
+
 # If requested, propagate a set of env vars as listed in a given env var to the
 # container.
 if [[ -n "$(plugin_read_config ENV_PROPAGATION_LIST)" ]]; then