Release 1.11.0

Author: avinash1IBM

CHANGELOG.md

@@ -1,5 +1,18 @@
 # CHANGELOG
 
+## 1.11.0
+
+### Content
+
+#### Features
+
+* Trusted Profile Authentication Support for Compute Resources.
+
+#### Defect Fixes
+
+* Update dependencies
+* Support for Golang 1.22.0
+
 ## 1.10.3
 
 ### Content

aws/credentials/ibmiam/common.go

@@ -125,15 +125,10 @@ func (p *Provider) Retrieve() (credentials.Value, error) {
 		var returnErr error
 		if p.logLevel.Matches(aws.LogDebug) {
 			p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, "ERROR ON GET", err)
-			returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", err)
-		} else {
-			returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", nil)
 		}
+		returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", err)
 		return credentials.Value{}, returnErr
 	}
-	if p.logLevel.Matches(aws.LogDebug) {
-		p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, "GET TOKEN", tokenValue)
-	}
 
 	return credentials.Value{Token: *tokenValue, ProviderName: p.providerName, ProviderType: p.providerType,
 		ServiceInstanceID: p.serviceInstanceID}, nil

aws/credentials/ibmiam/env_provider_trusted_profile.go

@@ -0,0 +1,36 @@
+package ibmiam
+
+import (
+	"os"
+
+	"github.com/IBM/ibm-cos-sdk-go/aws"
+	"github.com/IBM/ibm-cos-sdk-go/aws/credentials"
+)
+
+// EnvProviderName name of the IBM IAM provider that loads IAM trusted profile
+// credentials from environment variables
+const EnvProviderTrustedProfileName = "EnvProviderTrustedProfileIBM"
+
+// NewEnvProvider constructor of the IBM IAM provider that loads IAM trusted profile
+// credentials from environment variables
+// Parameter:
+//
+//	AWS Config
+//
+// Returns:
+//
+//	A new provider with AWS config, Trusted Profile ID, CR token file path, IBM IAM Authentication Server Endpoint and
+//	Service Instance ID
+func NewEnvProviderTrustedProfile(config *aws.Config) *TrustedProfileProvider {
+	trustedProfileID := os.Getenv("TRUSTED_PROFILE_ID")
+	serviceInstanceID := os.Getenv("IBM_SERVICE_INSTANCE_ID")
+	crTokenFilePath := os.Getenv("CR_TOKEN_FILE_PATH")
+	authEndPoint := os.Getenv("IBM_AUTH_ENDPOINT")
+
+	return NewTrustedProfileProvider(EnvProviderTrustedProfileName, config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID, "CR")
+}
+
+// NewEnvCredentials Constructor
+func NewEnvCredentialsTrustedProfile(config *aws.Config) *credentials.Credentials {
+	return credentials.NewCredentials(NewEnvProviderTrustedProfile(config))
+}

aws/credentials/ibmiam/iamcreds_file_utils.go

@@ -0,0 +1,25 @@
+package ibmiam
+
+import (
+	"os"
+
+	"github.com/IBM/ibm-cos-sdk-go/aws/awserr"
+)
+
+// Helper function to check whether both api-key and trusted-profile-id are set
+// in environment variables.
+//
+// Returns:
+//
+//	Error if both apiKey and trustedProfileID are set, nil if only either of them is set.
+func CheckForConflictingIamCredentials() error {
+	apiKey := os.Getenv("IBM_API_KEY_ID")
+	trustedProfileID := os.Getenv("TRUSTED_PROFILE_ID")
+
+	if apiKey != "" && trustedProfileID != "" {
+		return awserr.New("InvalidCredentials",
+			`only one of ApiKey or TrustedProfileID should be set, not both`,
+			nil)
+	}
+	return nil
+}

aws/credentials/ibmiam/trusted_profile.go

@@ -0,0 +1,158 @@
+package ibmiam
+
+import (
+	"github.com/IBM/go-sdk-core/v5/core"
+	"github.com/IBM/ibm-cos-sdk-go/aws"
+	"github.com/IBM/ibm-cos-sdk-go/aws/awserr"
+	"github.com/IBM/ibm-cos-sdk-go/aws/credentials"
+	"github.com/IBM/ibm-cos-sdk-go/aws/credentials/ibmiam/token"
+)
+
+// Provider Struct
+type TrustedProfileProvider struct {
+	// Name of Provider
+	providerName string
+
+	// Type of Provider - SharedCred, SharedConfig, etc.
+	providerType string
+
+	// Authenticator instance, will be assigned dynamically
+	authenticator core.Authenticator
+
+	// Service Instance ID passes in a provider
+	serviceInstanceID string
+
+	// Error
+	ErrorStatus error
+
+	// Logger attributes
+	logger   aws.Logger
+	logLevel *aws.LogLevelType
+}
+
+// NewTrustedProfileProvider allows the creation of a custom IBM IAM Trusted Profile Provider
+// Parameters:
+//
+//	Provider Name
+//	AWS Config
+//	Trusted Profile ID
+//	CR token file path
+//	IBM IAM Authentication Server Endpoint
+//	Service Instance ID
+//	Resource type
+//
+// Returns:
+//
+//	TrustedProfileProvider
+func NewTrustedProfileProvider(providerName string, config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string,
+	serviceInstanceID string, resourceType string) (provider *TrustedProfileProvider) {
+	provider = new(TrustedProfileProvider)
+
+	provider.providerName = providerName
+	provider.providerType = "oauth"
+
+	logLevel := aws.LogLevel(aws.LogOff)
+	if config != nil && config.LogLevel != nil && config.Logger != nil {
+		logLevel = config.LogLevel
+		provider.logger = config.Logger
+	}
+	provider.logLevel = logLevel
+
+	if crTokenFilePath == "" {
+		provider.ErrorStatus = awserr.New("crTokenFilePathNotFound", "CR Token file path not found", nil)
+		if provider.logLevel.Matches(aws.LogDebug) {
+			provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus)
+		}
+		return
+	}
+
+	if trustedProfileID == "" {
+		provider.ErrorStatus = awserr.New("trustedProfileIDNotFound", "Trusted profile id not found", nil)
+		if provider.logLevel.Matches(aws.LogDebug) {
+			provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus)
+		}
+		return
+	}
+
+	provider.serviceInstanceID = serviceInstanceID
+
+	if authEndPoint == "" {
+		authEndPoint = defaultAuthEndPoint
+		if provider.logLevel.Matches(aws.LogDebug) {
+			provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", "using default auth endpoint", authEndPoint)
+		}
+	}
+
+	// This authenticator is dynamically initialized based on the resourceType parameter.
+	// Since only cr-token based resources is supported now, it is initialized directly.
+	// when other resources are supported, the authenticator should be initialized accordingly.
+	authenticator, err := core.NewContainerAuthenticatorBuilder().
+		SetCRTokenFilename(crTokenFilePath).
+		SetIAMProfileID(trustedProfileID).
+		SetURL(authEndPoint).
+		SetDisableSSLVerification(true).
+		Build()
+	if err != nil {
+		provider.ErrorStatus = awserr.New("errCreatingAuthenticatorClient", "cannot setup new Authenticator client", err)
+		if provider.logLevel.Matches(aws.LogDebug) {
+			provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus)
+		}
+		return
+	}
+	provider.authenticator = authenticator
+
+	return provider
+}
+
+// IsValid ...
+// Returns:
+//
+//	TrustedProfileProvider validation - boolean
+func (p *TrustedProfileProvider) IsValid() bool {
+	return nil == p.ErrorStatus
+}
+
+// Retrieve ...
+// Returns:
+//
+//	Credential values
+//	Error
+func (p *TrustedProfileProvider) Retrieve() (credentials.Value, error) {
+	if p.ErrorStatus != nil {
+		if p.logLevel.Matches(aws.LogDebug) {
+			p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, p.ErrorStatus)
+		}
+		return credentials.Value{ProviderName: p.providerName}, p.ErrorStatus
+	}
+
+	// The respective resourceTypes's class should be called based on the resourceType parameter.
+	// Since only cr-token based resources is supported now, it is assigned to ContainerAuthenticator
+	// directly. when other resource types are supported, the respective class should be used accordingly.
+	tokenValue, err := p.authenticator.(*core.ContainerAuthenticator).GetToken()
+
+	if err != nil {
+		var returnErr error
+		if p.logLevel.Matches(aws.LogDebug) {
+			p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, "ERROR ON GET", err)
+		}
+		returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", err)
+		return credentials.Value{}, returnErr
+	}
+
+	return credentials.Value{
+		Token: token.Token{
+			AccessToken: tokenValue,
+			TokenType:   "Bearer",
+		},
+		ProviderName:      p.providerName,
+		ProviderType:      p.providerType,
+		ServiceInstanceID: p.serviceInstanceID,
+	}, nil
+}
+
+// IsExpired ...
+//
+//	TrustedProfileProvider expired or not - boolean
+func (p *TrustedProfileProvider) IsExpired() bool {
+	return true
+}

aws/credentials/ibmiam/trusted_profile_provider.go

@@ -0,0 +1,31 @@
+package ibmiam
+
+import (
+	"github.com/IBM/ibm-cos-sdk-go/aws"
+	"github.com/IBM/ibm-cos-sdk-go/aws/credentials"
+)
+
+type ResourceType string
+
+// TrustedProfileProviderName name of the IBM IAM provider that uses IAM trusted-profile
+// details passed directly
+const (
+	TrustedProfileProviderName              = "TrustedProfileProviderIBM"
+	ResourceComputeResource    ResourceType = "CR"
+)
+
+// NewTrustedProfileProviderWithCR constructor of the IBM IAM provider that uses IAM trusted-profile
+// details passed
+// Returns: New TrustedProfileProvider (AWS type)
+func NewTrustedProfileProviderCR(config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string, serviceInstanceID string) *TrustedProfileProvider {
+	// Resource type ResourceComputeResource is passed to identify that this is a CR-token based
+	// resource.
+	return NewTrustedProfileProvider(TrustedProfileProviderName, config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID, string(ResourceComputeResource))
+}
+
+// NewTrustedProfileCredentials constructor for IBM IAM that uses IAM trusted-profile
+// credentials passed
+// Returns: credentials.NewCredentials(newTrustedProfileProvider()) (AWS type)
+func NewTrustedProfileCredentialsCR(config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string, serviceInstanceID string) *credentials.Credentials {
+	return credentials.NewCredentials(NewTrustedProfileProviderCR(config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID))
+}

aws/session/session.go

@@ -553,7 +553,6 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
 	// Configure credentials if not already set by the user when creating the
 	// Session.
 	if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
-		// IBM COS SDK Code -- START
 		if iBmIamCreds := getIBMIAMCredentials(userCfg); iBmIamCreds != nil {
 			cfg.Credentials = iBmIamCreds
 		} else {
@@ -601,6 +600,10 @@ func getIBMIAMCredentials(config *aws.Config) *credentials.Credentials {
 		return credentials.NewCredentials(provider)
 	}
 
+	if provider := ibmiam.NewEnvProviderTrustedProfile(config); provider.IsValid() {
+		return credentials.NewCredentials(provider)
+	}
+
 	if provider := ibmiam.NewSharedCredentialsProvider(config, "", ""); provider.IsValid() {
 		return credentials.NewCredentials(provider)
 	}

aws/version.go

@@ -7,6 +7,6 @@ package aws
 const SDKName = "ibm-cos-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.10.3"
+const SDKVersion = "1.11.0"
 
 // IBM COS SDK Code -- END

go.mod

@@ -1,15 +1,33 @@
 module github.com/IBM/ibm-cos-sdk-go
 
 require (
+	github.com/IBM/go-sdk-core/v5 v5.17.3
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/net v0.24.0
+	golang.org/x/net v0.26.0
 )
 
 require (
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/go-openapi/errors v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.22.1 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.19.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )