From d414a9007d5c61649b21f77753a9d5f07077f44a Mon Sep 17 00:00:00 2001
From: "christophe.vandekerchove" <christophe.vandekerchove@scalepad.com>
Date: Tue, 6 Feb 2024 15:41:36 -0500
Subject: [PATCH 1/4] feat: Add option to propagate AWS auth tokens on run

This will allow user to simply ensure that AWS Auth tokens are being
pushed from the current env into the running containers.

It supports all current methods AWS offers for authentication with env
variables.
---
 commands/run.sh | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/commands/run.sh b/commands/run.sh
index 180e182a..a3d40492 100755
--- a/commands/run.sh
+++ b/commands/run.sh
@@ -112,6 +112,49 @@ if [[ "$(plugin_read_config PROPAGATE_ENVIRONMENT "false")" =~ ^(true|on|1)$ ]]
   fi
 fi
 
+# Propagate AWS credentials if requested
+if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$ ]] ; then
+  if [[ -n "${AWS_ACCESS_KEY_ID:-}" ]] ; then
+      run_params+=( --env "AWS_ACCESS_KEY_ID" )
+  fi
+  if [[ -n "${AWS_SECRET_ACCESS_KEY:-}" ]] ; then
+      run_params+=( --env "AWS_SECRET_ACCESS_KEY" )
+  fi
+  if [[ -n "${AWS_SESSION_TOKEN:-}" ]] ; then
+      run_params+=( --env "AWS_SESSION_TOKEN" )
+  fi
+  if [[ -n "${AWS_REGION:-}" ]] ; then
+      run_params+=( --env "AWS_REGION" )
+  fi
+  if [[ -n "${AWS_DEFAULT_REGION:-}" ]] ; then
+      run_params+=( --env "AWS_DEFAULT_REGION" )
+  fi
+  if [[ -n "${AWS_ROLE_ARN:-}" ]] ; then
+      run_params+=( --env "AWS_ROLE_ARN" )
+  fi
+  if [[ -n "${AWS_STS_REGIONAL_ENDPOINTS:-}" ]] ; then
+      run_params+=( --env "AWS_STS_REGIONAL_ENDPOINTS" )
+  fi
+  # Pass ECS variables when the agent is running in ECS
+  # https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
+  if [[ -n "${AWS_CONTAINER_CREDENTIALS_FULL_URI:-}" ]] ; then
+      run_params+=( --env "AWS_CONTAINER_CREDENTIALS_FULL_URI" )
+  fi
+  if [[ -n "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] ; then
+      run_params+=( --env "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" )
+  fi
+  if [[ -n "${AWS_CONTAINER_AUTHORIZATION_TOKEN:-}" ]] ; then
+      run_params+=( --env "AWS_CONTAINER_AUTHORIZATION_TOKEN" )
+  fi
+  # Pass EKS variables when the agent is running in EKS
+  # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html
+  if [[ -n "${AWS_WEB_IDENTITY_TOKEN_FILE:-}" ]] ; then
+      run_params+=( --env "AWS_WEB_IDENTITY_TOKEN_FILE" )
+      # Add the token file as a volume
+      run_params+=( --volume "${AWS_WEB_IDENTITY_TOKEN_FILE}:${AWS_WEB_IDENTITY_TOKEN_FILE}" )
+  fi
+fi
+
 # If requested, propagate a set of env vars as listed in a given env var to the
 # container.
 if [[ -n "$(plugin_read_config ENV_PROPAGATION_LIST)" ]]; then

From 32f040d98b723619d14af59d144a391c943d06e2 Mon Sep 17 00:00:00 2001
From: "christophe.vandekerchove" <christophe.vandekerchove@scalepad.com>
Date: Wed, 7 Feb 2024 08:19:56 -0500
Subject: [PATCH 2/4] fix: Add debug

---
 commands/run.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/commands/run.sh b/commands/run.sh
index a3d40492..7181fabe 100755
--- a/commands/run.sh
+++ b/commands/run.sh
@@ -153,6 +153,8 @@ if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$
       # Add the token file as a volume
       run_params+=( --volume "${AWS_WEB_IDENTITY_TOKEN_FILE}:${AWS_WEB_IDENTITY_TOKEN_FILE}" )
   fi
+else
+  echo -n "🚨 Not propagating aws auth tokens"
 fi
 
 # If requested, propagate a set of env vars as listed in a given env var to the

From 80a280e3fb8226de133681cf9244fe7ea8f68811 Mon Sep 17 00:00:00 2001
From: "christophe.vandekerchove" <christophe.vandekerchove@scalepad.com>
Date: Wed, 7 Feb 2024 09:57:16 -0500
Subject: [PATCH 3/4] feat: Add more logs

---
 commands/run.sh | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/commands/run.sh b/commands/run.sh
index 7181fabe..11a17a88 100755
--- a/commands/run.sh
+++ b/commands/run.sh
@@ -116,35 +116,55 @@ fi
 if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$ ]] ; then
   if [[ -n "${AWS_ACCESS_KEY_ID:-}" ]] ; then
       run_params+=( --env "AWS_ACCESS_KEY_ID" )
+  else
+      echo "🚨 AWS_ACCESS_KEY_ID is not set, not propagating"
   fi
   if [[ -n "${AWS_SECRET_ACCESS_KEY:-}" ]] ; then
       run_params+=( --env "AWS_SECRET_ACCESS_KEY" )
+  else
+      echo "🚨 AWS_SECRET_ACCESS_KEY is not set, not propagating"
   fi
   if [[ -n "${AWS_SESSION_TOKEN:-}" ]] ; then
       run_params+=( --env "AWS_SESSION_TOKEN" )
+  else
+      echo "🚨 AWS_SESSION_TOKEN is not set, not propagating"
   fi
   if [[ -n "${AWS_REGION:-}" ]] ; then
       run_params+=( --env "AWS_REGION" )
+  else
+      echo "🚨 AWS_REGION is not set, not propagating"
   fi
   if [[ -n "${AWS_DEFAULT_REGION:-}" ]] ; then
       run_params+=( --env "AWS_DEFAULT_REGION" )
+  else
+      echo "🚨 AWS_DEFAULT_REGION is not set, not propagating"
   fi
   if [[ -n "${AWS_ROLE_ARN:-}" ]] ; then
       run_params+=( --env "AWS_ROLE_ARN" )
+  else
+      echo "🚨 AWS_ROLE_ARN is not set, not propagating"
   fi
   if [[ -n "${AWS_STS_REGIONAL_ENDPOINTS:-}" ]] ; then
       run_params+=( --env "AWS_STS_REGIONAL_ENDPOINTS" )
+  else
+      echo "🚨 AWS_STS_REGIONAL_ENDPOINTS is not set, not propagating"
   fi
   # Pass ECS variables when the agent is running in ECS
   # https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
   if [[ -n "${AWS_CONTAINER_CREDENTIALS_FULL_URI:-}" ]] ; then
       run_params+=( --env "AWS_CONTAINER_CREDENTIALS_FULL_URI" )
+  else
+      echo "🚨 AWS_CONTAINER_CREDENTIALS_FULL_URI is not set, not propagating"
   fi
   if [[ -n "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] ; then
       run_params+=( --env "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" )
+  else
+      echo "🚨 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set, not propagating"
   fi
   if [[ -n "${AWS_CONTAINER_AUTHORIZATION_TOKEN:-}" ]] ; then
       run_params+=( --env "AWS_CONTAINER_AUTHORIZATION_TOKEN" )
+  else
+      echo "🚨 AWS_CONTAINER_AUTHORIZATION_TOKEN is not set, not propagating"
   fi
   # Pass EKS variables when the agent is running in EKS
   # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html
@@ -152,9 +172,11 @@ if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$
       run_params+=( --env "AWS_WEB_IDENTITY_TOKEN_FILE" )
       # Add the token file as a volume
       run_params+=( --volume "${AWS_WEB_IDENTITY_TOKEN_FILE}:${AWS_WEB_IDENTITY_TOKEN_FILE}" )
+  else
+      echo "🚨 AWS_WEB_IDENTITY_TOKEN_FILE is not set, not propagating"
   fi
 else
-  echo -n "🚨 Not propagating aws auth tokens"
+  echo "🚨 Not propagating AWS credentials to container as PROPAGATE_AWS_AUTH_TOKENS is not set to true"
 fi
 
 # If requested, propagate a set of env vars as listed in a given env var to the

From 7c8295f912fb6082b1a2f44c6019f4fbb0dc9625 Mon Sep 17 00:00:00 2001
From: "christophe.vandekerchove" <christophe.vandekerchove@scalepad.com>
Date: Wed, 21 Feb 2024 13:32:40 -0500
Subject: [PATCH 4/4] chore: Update documentation for the new option

---
 README.md       |  8 ++++++++
 commands/run.sh | 24 ------------------------
 2 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/README.md b/README.md
index c0530ea5..caaf5978 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,14 @@ Whether or not to automatically propagate all pipeline environment variables int
 
 **Important**: only pipeline environment variables will be propagated (what you see in the BuildKite UI, those listed in `$BUILDKITE_ENV_FILE`). This does not include variables exported in preceeding `environment` hooks. If you wish for those to be propagated you will need to list them specifically or use `env-propagation-list`.
 
+### `propagate-aws-auth-tokens` (run only, boolean)
+
+Whether or not to automatically propagate aws authentication environment variables into the docker container. Avoiding the need to be specified with `environment`. This is useful for example if you are using an assume role plugin or you want to pass the role of an agent running in ECS or EKS to the docker container.
+
+Will propagate `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_DEFAULT_REGION`, `AWS_STS_REGIONAL_ENDPOINTS`, `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_ARN`, `AWS_CONTAINER_CREDENTIALS_FULL_URI`, `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`, and `AWS_CONTAINER_AUTHORIZATION_TOKEN`, only if they are set already.
+
+When the `AWS_WEB_IDENTITY_TOKEN_FILE` is specified, it will also mount it automatically for you and make it usable within the container.
+
 #### `command` (run only, array)
 
 Sets the command for the Docker image, and defaults the `shell` option to `false`. Useful if the Docker image has an entrypoint, or doesn't contain a shell.
diff --git a/commands/run.sh b/commands/run.sh
index 11a17a88..a3d40492 100755
--- a/commands/run.sh
+++ b/commands/run.sh
@@ -116,55 +116,35 @@ fi
 if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$ ]] ; then
   if [[ -n "${AWS_ACCESS_KEY_ID:-}" ]] ; then
       run_params+=( --env "AWS_ACCESS_KEY_ID" )
-  else
-      echo "🚨 AWS_ACCESS_KEY_ID is not set, not propagating"
   fi
   if [[ -n "${AWS_SECRET_ACCESS_KEY:-}" ]] ; then
       run_params+=( --env "AWS_SECRET_ACCESS_KEY" )
-  else
-      echo "🚨 AWS_SECRET_ACCESS_KEY is not set, not propagating"
   fi
   if [[ -n "${AWS_SESSION_TOKEN:-}" ]] ; then
       run_params+=( --env "AWS_SESSION_TOKEN" )
-  else
-      echo "🚨 AWS_SESSION_TOKEN is not set, not propagating"
   fi
   if [[ -n "${AWS_REGION:-}" ]] ; then
       run_params+=( --env "AWS_REGION" )
-  else
-      echo "🚨 AWS_REGION is not set, not propagating"
   fi
   if [[ -n "${AWS_DEFAULT_REGION:-}" ]] ; then
       run_params+=( --env "AWS_DEFAULT_REGION" )
-  else
-      echo "🚨 AWS_DEFAULT_REGION is not set, not propagating"
   fi
   if [[ -n "${AWS_ROLE_ARN:-}" ]] ; then
       run_params+=( --env "AWS_ROLE_ARN" )
-  else
-      echo "🚨 AWS_ROLE_ARN is not set, not propagating"
   fi
   if [[ -n "${AWS_STS_REGIONAL_ENDPOINTS:-}" ]] ; then
       run_params+=( --env "AWS_STS_REGIONAL_ENDPOINTS" )
-  else
-      echo "🚨 AWS_STS_REGIONAL_ENDPOINTS is not set, not propagating"
   fi
   # Pass ECS variables when the agent is running in ECS
   # https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
   if [[ -n "${AWS_CONTAINER_CREDENTIALS_FULL_URI:-}" ]] ; then
       run_params+=( --env "AWS_CONTAINER_CREDENTIALS_FULL_URI" )
-  else
-      echo "🚨 AWS_CONTAINER_CREDENTIALS_FULL_URI is not set, not propagating"
   fi
   if [[ -n "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] ; then
       run_params+=( --env "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" )
-  else
-      echo "🚨 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set, not propagating"
   fi
   if [[ -n "${AWS_CONTAINER_AUTHORIZATION_TOKEN:-}" ]] ; then
       run_params+=( --env "AWS_CONTAINER_AUTHORIZATION_TOKEN" )
-  else
-      echo "🚨 AWS_CONTAINER_AUTHORIZATION_TOKEN is not set, not propagating"
   fi
   # Pass EKS variables when the agent is running in EKS
   # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html
@@ -172,11 +152,7 @@ if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$
       run_params+=( --env "AWS_WEB_IDENTITY_TOKEN_FILE" )
       # Add the token file as a volume
       run_params+=( --volume "${AWS_WEB_IDENTITY_TOKEN_FILE}:${AWS_WEB_IDENTITY_TOKEN_FILE}" )
-  else
-      echo "🚨 AWS_WEB_IDENTITY_TOKEN_FILE is not set, not propagating"
   fi
-else
-  echo "🚨 Not propagating AWS credentials to container as PROPAGATE_AWS_AUTH_TOKENS is not set to true"
 fi
 
 # If requested, propagate a set of env vars as listed in a given env var to the