Skip to content

Commit

Permalink
Document more details of aws auth
Browse files Browse the repository at this point in the history
  • Loading branch information
ralphbean committed Jul 29, 2024
1 parent 8a6266d commit 1f907c3
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 8 deletions.
2 changes: 1 addition & 1 deletion task/oci-copy-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in
## Parameters
|name|description|default value|required|
|---|---|---|---|
|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false|
|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false|
|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
|IMAGE|Reference of the image we will push||true|
|OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
Expand Down
9 changes: 6 additions & 3 deletions task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,11 @@ spec:
arbitrary urls into the OCI registry.
params:
- name: AWS_SECRET_NAME
description: Name of a secret which will be made available to the build
to construct Authorization headers for requests to Amazon S3. If specified,
this will take precedence over BEARER_TOKEN_SECRET_NAME.
description: 'Name of a secret which will be made available to the build
to construct Authorization headers for requests to Amazon S3 using
https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.
If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.
The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.'
type: string
default: does-not-exist
- name: BEARER_TOKEN_SECRET_NAME
Expand Down Expand Up @@ -136,6 +138,7 @@ spec:
curl_args=(--fail --silent --show-error)
if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then
echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket"
# This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
path=$(echo "$url" | cut -d/ -f4-)
echo "Bucket path is $path"
date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')"
Expand Down
5 changes: 2 additions & 3 deletions task/oci-copy/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,8 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste
|---|---|---|---|
|IMAGE|Reference of the image buildah will produce.||true|
|OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false|
|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false|

|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false|

## Results
|name|description|
Expand Down
5 changes: 4 additions & 1 deletion task/oci-copy/0.1/oci-copy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,9 @@ spec:
- name: AWS_SECRET_NAME
description: >-
Name of a secret which will be made available to the build to construct Authorization headers for requests to
Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.
Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.
If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys:
`aws_access_key_id` and `aws_secret_access_key`.
type: string
default: "does-not-exist"
results:
Expand Down Expand Up @@ -121,6 +123,7 @@ spec:
curl_args=(--fail --silent --show-error)
if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then
echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket"
# This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
path=$(echo "$url" | cut -d/ -f4-)
echo "Bucket path is $path"
date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')"
Expand Down

0 comments on commit 1f907c3

Please sign in to comment.