Allow customize aws and vault audience (#18840)

gitpod-io · Oct 10, 2023 · 5363519 · 5363519
1 parent 822a34c
commit 5363519
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/components/gitpod-cli/cmd/idp-login-aws.go b/components/gitpod-cli/cmd/idp-login-aws.go
@@ -24,6 +24,7 @@ var idpLoginAwsOpts struct {
 	RoleARN         string
 	Profile         string
 	DurationSeconds int
+	Audience        []string
 }
 
 var idpLoginAwsCmd = &cobra.Command{
@@ -42,7 +43,7 @@ var idpLoginAwsCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 		defer cancel()
 
-		tkn, err := idpToken(ctx, []string{idpAudienceAWS})
+		tkn, err := idpToken(ctx, idpLoginAwsOpts.Audience)
 		if err != nil {
 			return err
 		}
@@ -96,6 +97,7 @@ func init() {
 	idpLoginCmd.AddCommand(idpLoginAwsCmd)
 
 	idpLoginAwsCmd.Flags().StringVar(&idpLoginAwsOpts.RoleARN, "role-arn", os.Getenv("IDP_AWS_ROLE_ARN"), "AWS role to assume (defaults to IDP_AWS_ROLE_ARN env var)")
+	idpLoginAwsCmd.Flags().StringArrayVar(&idpLoginAwsOpts.Audience, "audience", []string{idpAudienceAWS}, "audience of the ID token")
 	idpLoginAwsCmd.Flags().StringVarP(&idpLoginAwsOpts.Profile, "profile", "p", "default", "AWS profile to configure")
 	idpLoginAwsCmd.Flags().IntVarP(&idpLoginAwsOpts.DurationSeconds, "duration-seconds", "d", 3600, "Duration in seconds for which the credentials will be valid (defaults to 3600), upper bound is controlled by the AWS maximum session duration. See https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html")
 	_ = idpLoginAwsCmd.MarkFlagFilename("profile")

diff --git a/components/gitpod-cli/cmd/idp-login-vault.go b/components/gitpod-cli/cmd/idp-login-vault.go
@@ -20,7 +20,8 @@ const (
 )
 
 var idpLoginVaultOpts struct {
-	Role string
+	Role     string
+	Audience []string
 }
 
 var idpLoginVaultCmd = &cobra.Command{
@@ -32,7 +33,7 @@ var idpLoginVaultCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 		defer cancel()
 
-		tkn, err := idpToken(ctx, []string{idpAudienceVault})
+		tkn, err := idpToken(ctx, idpLoginVaultOpts.Audience)
 		if err != nil {
 			return err
 		}
@@ -63,5 +64,6 @@ var idpLoginVaultCmd = &cobra.Command{
 func init() {
 	idpLoginCmd.AddCommand(idpLoginVaultCmd)
 
+	idpLoginVaultCmd.Flags().StringArrayVar(&idpLoginVaultOpts.Audience, "audience", []string{idpAudienceVault}, "audience of the ID token")
 	idpLoginVaultCmd.Flags().StringVar(&idpLoginVaultOpts.Role, "role", os.Getenv("IDP_VAULT_ROLE"), "Vault role to assume (defaults to IDP_VAULT_ROLE env var)")
 }