From 365cec1a90abedf91db2e4c7962fbf8767d80548 Mon Sep 17 00:00:00 2001
From: Felix Moessbauer <felix.moessbauer@siemens.com>
Date: Fri, 1 Dec 2023 05:01:17 +0100
Subject: [PATCH] kas-container(aws): support OAuth 2.0 workflow

This patch adds support for the OAuth 2.0 based authentication for aws
inside the kas container. The corresponding web token file is copied
into the configuration landing site inside the container and the ARN
role variable is forwarded.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas-container | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kas-container b/kas-container
index e3bd59bd..0c363c91 100755
--- a/kas-container
+++ b/kas-container
@@ -469,6 +469,15 @@ if [ -n "${KAS_AWS_DIR}" ] ; then
 		-e AWS_CONFIG_FILE="${AWS_CONFIG_FILE:-/var/kas/userdata/.aws/config}" \
 		-e AWS_SHARED_CREDENTIALS_FILE="${AWS_SHARED_CREDENTIALS_FILE:-/var/kas/userdata/.aws/credentials}"
 fi
+if [ -n "${AWS_WEB_IDENTITY_TOKEN_FILE}" ] ; then
+	if [ ! -f "${AWS_WEB_IDENTITY_TOKEN_FILE}" ]; then
+		echo "Passed AWS_WEB_IDENTITY_TOKEN_FILE '${AWS_WEB_IDENTITY_TOKEN_FILE}' is not a directory"
+		exit 1
+	fi
+	set -- "$@" -v "$(readlink -fv "${AWS_WEB_IDENTITY_TOKEN_FILE}")":/var/kas/userdata/.aws/web_identity_token:ro \
+		-e AWS_WEB_IDENTITY_TOKEN_FILE="${AWS_CONFIG_FILE:-/var/kas/userdata/.aws/web_identity_token}" \
+		-e AWS_ROLE_ARN="${AWS_ROLE_ARN}"
+fi
 
 KAS_GIT_CREDENTIAL_HELPER_DEFAULT=""