Skip to content

Commit

Permalink
Merge pull request #951 from gcs278/OCPBUGS-14998
Browse files Browse the repository at this point in the history 
OCPBUGS-14998: Only use RoleARN for Route53 API
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot authored Jun 27, 2023
2 parents ecb3786 + 047bd98 commit d319e46
Showing 1 changed file with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions pkg/dns/aws/dns.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,8 @@ type Config struct {
// that is used by SDK to configure the credentials.
SharedCredentialFile string

// RoleARN is an optional ARN to use for the AWS client session.
// RoleARN is an optional ARN to use for the AWS client session that is
// intended to only provide access to another account's Route 53 service.
RoleARN string

// Region is the AWS region ELBs are created in.
Expand Down Expand Up @@ -144,9 +145,6 @@ func NewProvider(config Config, operatorReleaseVersion string) (*Provider, error
Name: "openshift.io/ingress-operator",
Fn: request.MakeAddToUserAgentHandler("openshift.io ingress-operator", operatorReleaseVersion),
})
if config.RoleARN != "" {
sess.Config.WithCredentials(stscreds.NewCredentials(sess, config.RoleARN))
}

if len(region) == 0 {
if sess.Config.Region != nil {
Expand All @@ -157,6 +155,14 @@ func NewProvider(config Config, operatorReleaseVersion string) (*Provider, error
}
}

// When RoleARN is provided, make a copy of the Route 53 session and configure it to use RoleARN.
// RoleARN is intended to only provide access to another account's Route 53 service, not for ELBs.
sessRoute53 := sess
if config.RoleARN != "" {
sessRoute53 = sess.Copy()
sessRoute53.Config.WithCredentials(stscreds.NewCredentials(sessRoute53, config.RoleARN))
}

r53Config := aws.NewConfig()
// elb requires no special region treatment.
elbConfig := aws.NewConfig().WithRegion(region)
Expand Down Expand Up @@ -238,7 +244,7 @@ func NewProvider(config Config, operatorReleaseVersion string) (*Provider, error
// TODO: Add custom endpoint support for elbv2. See the following for details:
// https://docs.aws.amazon.com/general/latest/gr/elb.html
elbv2: elbv2.New(sess, aws.NewConfig().WithRegion(region)),
route53: route53.New(sess, r53Config),
route53: route53.New(sessRoute53, r53Config),
tags: tags,
config: config,
idsToTags: map[string]map[string]string{},
Expand Down

0 comments on commit d319e46

Please sign in to comment.