Document more details of aws auth

task/oci-copy-oci-ta/0.1/README.md

@@ -5,7 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in
 ## Parameters
 |name|description|default value|required|
 |---|---|---|---|
-|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false|
+|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false|
 |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
 |IMAGE|Reference of the image we will push||true|
 |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|

task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml

@@ -14,9 +14,11 @@ spec:
     arbitrary urls into the OCI registry.
   params:
     - name: AWS_SECRET_NAME
-      description: Name of a secret which will be made available to the build
-        to construct Authorization headers for requests to Amazon S3. If specified,
-        this will take precedence over BEARER_TOKEN_SECRET_NAME.
+      description: 'Name of a secret which will be made available to the build
+        to construct Authorization headers for requests to Amazon S3 using
+        https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.
+        If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.
+        The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.'
       type: string
       default: does-not-exist
     - name: BEARER_TOKEN_SECRET_NAME
@@ -136,6 +138,7 @@ spec:
           curl_args=(--fail --silent --show-error)
           if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then
             echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket"
+            # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
             path=$(echo "$url" | cut -d/ -f4-)
             echo "Bucket path is $path"
             date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')"

task/oci-copy/0.1/README.md

@@ -13,9 +13,8 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste
 |---|---|---|---|
 |IMAGE|Reference of the image buildah will produce.||true|
 |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
-|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false|
-|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false|
-
+|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
+|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false|
 
 ## Results
 |name|description|

task/oci-copy/0.1/oci-copy.yaml

@@ -28,7 +28,9 @@ spec:
     - name: AWS_SECRET_NAME
       description: >-
         Name of a secret which will be made available to the build to construct Authorization headers for requests to
-        Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.
+        Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.
+        If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys:
+        `aws_access_key_id` and `aws_secret_access_key`.
       type: string
       default: "does-not-exist"
   results:
@@ -121,6 +123,7 @@ spec:
           curl_args=(--fail --silent --show-error)
           if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then
             echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket"
+            # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
             path=$(echo "$url" | cut -d/ -f4-)
             echo "Bucket path is $path"
             date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')"