From 1f907c30284a4f9fc5d9a0dc83194d2108f7933c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 29 Jul 2024 08:37:34 -0400 Subject: [PATCH] Document more details of aws auth --- task/oci-copy-oci-ta/0.1/README.md | 2 +- task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 9 ++++++--- task/oci-copy/0.1/README.md | 5 ++--- task/oci-copy/0.1/oci-copy.yaml | 5 ++++- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 15e9b788a8..efbb6cc53c 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -5,7 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in ## Parameters |name|description|default value|required| |---|---|---|---| -|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 77d79427c7..b651ee6263 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -14,9 +14,11 @@ spec: arbitrary urls into the OCI registry. params: - name: AWS_SECRET_NAME - description: Name of a secret which will be made available to the build - to construct Authorization headers for requests to Amazon S3. If specified, - this will take precedence over BEARER_TOKEN_SECRET_NAME. + description: 'Name of a secret which will be made available to the build + to construct Authorization headers for requests to Amazon S3 using + https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. + If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. + The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.' type: string default: does-not-exist - name: BEARER_TOKEN_SECRET_NAME @@ -136,6 +138,7 @@ spec: curl_args=(--fail --silent --show-error) if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" + # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html path=$(echo "$url" | cut -d/ -f4-) echo "Bucket path is $path" date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 51daee2400..d683c579d6 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -13,9 +13,8 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| -|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false| -|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false| - +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false| ## Results |name|description| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 979502dd71..50ee4210db 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -28,7 +28,9 @@ spec: - name: AWS_SECRET_NAME description: >- Name of a secret which will be made available to the build to construct Authorization headers for requests to - Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. + Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. + If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: + `aws_access_key_id` and `aws_secret_access_key`. type: string default: "does-not-exist" results: @@ -121,6 +123,7 @@ spec: curl_args=(--fail --silent --show-error) if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" + # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html path=$(echo "$url" | cut -d/ -f4-) echo "Bucket path is $path" date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')"