in internal/cloud/eksauth/service.go [40:78]
func (s *service) GetIamCredentials(ctx context.Context,
request *credentials.EksCredentialsRequest) (*credentials.EksCredentialsResponse, credentials.ResponseMetadata, error) {
log := logger.FromContext(ctx)
log.Info("Calling EKS Auth to fetch credentials")
startRequestTime := time.Now()
creds, err := s.eksAuthService.AssumeRoleForPodIdentity(ctx, &eksauth.AssumeRoleForPodIdentityInput{
ClusterName: aws.String(request.ClusterName),
Token: aws.String(request.ServiceAccountToken),
})
if err != nil {
return nil, nil, fmt.Errorf("unable to fetch credentials from EKS Auth: %w", err)
}
if creds.Credentials == nil || creds.AssumedRoleUser == nil {
return nil, nil, fmt.Errorf("invalid response from server: credentials or assumed role empty: %v", creds)
}
log.WithFields(logrus.Fields{
"request_time_ms": time.Since(startRequestTime).Milliseconds(),
"fetched_role_arn": *creds.AssumedRoleUser.Arn,
"fetched_role_id": *creds.AssumedRoleUser.AssumeRoleId,
}).Infof("Successfully fetched credentials from EKS Auth")
// TODO: do not parse account ID from arn
assumedUserArn := creds.AssumedRoleUser.Arn
parsedArn, err := arn.Parse(*assumedUserArn)
if err != nil {
return nil, nil, fmt.Errorf("unable to parse arn from assumed role: %v", err)
}
return &credentials.EksCredentialsResponse{
AccessKeyId: *creds.Credentials.AccessKeyId,
SecretAccessKey: *creds.Credentials.SecretAccessKey,
Token: *creds.Credentials.SessionToken,
AccountId: parsedArn.AccountID,
Expiration: credentials.SdkCompliantExpirationTime{Time: *creds.Credentials.Expiration},
}, responseMetadata(*creds.PodIdentityAssociation.AssociationId), nil
}