From 02cb5598c46b071777fc005f55233c6dce538754 Mon Sep 17 00:00:00 2001
From: "A.Bescond" <redref@users.noreply.github.com>
Date: Tue, 12 Jul 2022 20:56:08 +0200
Subject: [PATCH] feat(aws_kms): EC2/EKS role support (#223)

* fix(aws_kms): gracefully fail on keys in list (AccessDeniedException)

* feat(aws_kms): EC2/EKS role support

Make credentials optional in order to let AWS SDK fallback to other
auth providers.
---
 pkg/vault/aws/awskms.go | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/pkg/vault/aws/awskms.go b/pkg/vault/aws/awskms.go
index 2463d905..1e636b54 100644
--- a/pkg/vault/aws/awskms.go
+++ b/pkg/vault/aws/awskms.go
@@ -11,6 +11,7 @@ import (
 	"os"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/ecadlabs/signatory/pkg/config"
@@ -23,8 +24,8 @@ import (
 // Config contains AWS KMS backend configuration
 type Config struct {
 	UserName    string `yaml:"user_name" validate:"required"`
-	AccessKeyID string `yaml:"access_key_id" validate:"required"`
-	AccessKey   string `yaml:"secret_access_key" validate:"required"`
+	AccessKeyID string `yaml:"access_key_id"`
+	AccessKey   string `yaml:"secret_access_key"`
 	Region      string `yaml:"region" validate:"required"`
 }
 
@@ -106,7 +107,15 @@ func (i *awsKMSIterator) Next() (key vault.StoredKey, err error) {
 
 	key, err = i.v.GetPublicKey(i.ctx, *i.lko.Keys[i.index].KeyId)
 	i.index += 1
-	return
+	if err != nil {
+		if aerr, ok := err.(awserr.Error); ok {
+			switch aerr.Code() {
+			case "AccessDeniedException":
+				return i.Next() // If access denied, return Next
+			}
+		}
+	}
+	return key, err
 }
 
 // ListPublicKeys returns a list of keys stored under the backend
@@ -154,8 +163,10 @@ func (v *Vault) Sign(ctx context.Context, digest []byte, key vault.StoredKey) (c
 
 // New creates new AWS KMS backend
 func New(ctx context.Context, config *Config) (*Vault, error) {
-	os.Setenv("AWS_ACCESS_KEY_ID", config.AccessKeyID)
-	os.Setenv("AWS_SECRET_ACCESS_KEY", config.AccessKey)
+	if config.AccessKeyID != "" {
+		os.Setenv("AWS_ACCESS_KEY_ID", config.AccessKeyID)
+		os.Setenv("AWS_SECRET_ACCESS_KEY", config.AccessKey)
+	}
 	os.Setenv("AWS_REGION", config.Region)
 	sess := session.Must(session.NewSession())