This solves it.

Reviewed-on: Siteworxpro/aws-iam-anywhere-refresher#1
Co-authored-by: Ron Rise <ron@siteworxpro.com>
Co-committed-by: Ron Rise <ron@siteworxpro.com>

.gitea/workflows/build.yml

@@ -0,0 +1,51 @@
+on:
+  push:
+    tags:
+      - "v*"
+
+name: 🏗️✨ Build Workflow
+
+jobs:
+  Build:
+    name: 🖥️ 🔨 Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🛡️ 🔒 Add Siteworx CA Certificates
+        run: |
+          apt update && apt install -yq ca-certificates curl
+          curl -Ls https://siteworxpro.com/hosted/Siteworx+Root+CA.pem -o /usr/local/share/ca-certificates/sw.crt
+          update-ca-certificates
+
+      - name: 📖 🔍 Checkout Repository Code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+
+      - name: 🔑 🔐 Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: 🏗️ 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: 🐳 🔨 Build Backend Container
+        uses: docker/build-push-action@v6
+        with:
+          provenance: true
+          sbom: true
+          push: true
+          context: .
+          dockerfile: Dockerfile
+          tags: siteworxpro/aws-iam-anywhere:${{ gitea.ref_name }}
+
+      - name: 🐳 🔨 Build Backend Container - Latest Tag
+        uses: docker/build-push-action@v6
+        with:
+          provenance: true
+          sbom: true
+          push: true
+          context: .
+          dockerfile: Dockerfile
+          tags: siteworxpro/aws-iam-anywhere:latest

.gitea/workflows/tests.yml

@@ -33,6 +33,7 @@ jobs:
       - name: 🐳 🔨 Build Backend Container
         uses: docker/build-push-action@v6
         with:
+          platforms: linux/amd64
           context: .
           dockerfile: Dockerfile
-          tags: siteworxpro/template:${{ gitea.ref_name }}
+          tags: siteworxpro/aws-iam-anywhere:${{ gitea.ref_name }}

Dockerfile

@@ -8,13 +8,17 @@ ENV GOPRIVATE=git.siteworxpro.com
 
 RUN go mod download && go build -o aws-iam-anywhere-refresher .
 
-FROM alpine:latest AS runtime
+FROM ubuntu:latest AS runtime
+
+RUN apt update && apt install -yq ca-certificates curl
+RUN curl -Ls https://siteworxpro.com/hosted/Siteworx+Root+CA.pem -o /usr/local/share/ca-certificates/sw.crt \
+    && update-ca-certificates
 
 WORKDIR /app
 
-COPY --from=build /app/aws-iam-anywhere-refresher aws-iam-anywhere-refresher
+COPY --from=build /app/aws-iam-anywhere-refresher /app/aws-iam-anywhere-refresher
 
-RUN adduser -D -H iam && \
+RUN useradd -b /app iam && \
     chown iam:iam /app/aws-iam-anywhere-refresher
 USER iam
 

README.md

@@ -28,6 +28,7 @@ This image runs in a kubernetes cronjob and will create and save new IAM credent
 - `TRUSTED_ANCHOR_ARN` ***required*** : the trusted anchor arn
 - `PRIVATE_KEY` ***required*** : iam private key base64 encoded
 - `CERTIFICATE` ***required*** : iam certificate base64 encoded
+- `CA_CHAIN` : the certificate chain bundle if needed
 
 ```yaml
 

aws_signing_helper/pkcs8_utils.go

@@ -30,13 +30,10 @@ import (
 
 	"errors"
 	"fmt"
-	"hash"
-	"log"
-	"os"
-	"strings"
-
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/crypto/scrypt"
+	"hash"
+	"os"
 )
 
 // as defined in https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.4
@@ -239,9 +236,6 @@ func readPKCS8PrivateKey(privateKeyId string) (crypto.PrivateKey, error) {
 func readPKCS8EncryptedPrivateKey(privateKeyId string, pkcs8Password []byte) (crypto.PrivateKey, error) {
 	block, err := parseDERFromPEMForPKCS8(privateKeyId, encryptedBlockType)
 	if err != nil {
-		if Debug && strings.Contains(err.Error(), `The block type detected is PRIVATE KEY`) {
-			log.Println("PKCS#8 password provided but block type indicates that one isn't required.")
-		}
 		return nil, errors.New("could not parse PEM data")
 	}
 

aws_signing_helper/signer.go

@@ -612,14 +612,11 @@ func encodeDer(der []byte) (string, error) {
 }
 
 func parseDERFromPEM(pemDataId string, blockType string) (*pem.Block, error) {
-	bts, err := os.ReadFile(pemDataId)
-	if err != nil {
-		return nil, err
-	}
+	b := []byte(pemDataId)
 
 	var block *pem.Block
-	for len(bts) > 0 {
-		block, bts = pem.Decode(bts)
+	for len(b) > 0 {
+		block, b = pem.Decode(b)
 		if block == nil {
 			return nil, errors.New("unable to parse PEM data")
 		}
@@ -631,24 +628,17 @@ func parseDERFromPEM(pemDataId string, blockType string) (*pem.Block, error) {
 }
 
 func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate, error) {
-	bts, err := os.ReadFile(certificateBundleId)
-	if err != nil {
-		return nil, err
-	}
 
 	var derBytes []byte
 	var block *pem.Block
-	for len(bts) > 0 {
-		block, bts = pem.Decode(bts)
-		if block == nil {
-			break
-		}
+	block, _ = pem.Decode([]byte(certificateBundleId))
+
 	if block.Type != "CERTIFICATE" {
 		return nil, errors.New("invalid certificate chain")
 	}
+
 	blockBytes := block.Bytes
 	derBytes = append(derBytes, blockBytes...)
-	}
 
 	return x509.ParseCertificates(derBytes)
 }

config/config.go

@@ -1,6 +1,11 @@
 package config
 
-import "git.siteworxpro.com/packages/go/utilities/Env"
+import (
+	"encoding/base64"
+	"fmt"
+	"git.siteworxpro.com/packages/go/utilities/Env"
+	"regexp"
+)
 
 const (
 	namespace          Env.EnvironmentVariable = "NAMESPACE"
@@ -10,8 +15,10 @@ const (
 	trustedAnchorArn   Env.EnvironmentVariable = "TRUSTED_ANCHOR_ARN"
 	privateKey         Env.EnvironmentVariable = "PRIVATE_KEY"
 	certificate        Env.EnvironmentVariable = "CERTIFICATE"
+	bundleId           Env.EnvironmentVariable = "CA_CHAIN"
 	sessionDuration    Env.EnvironmentVariable = "SESSION_DURATION"
 	restartDeployments Env.EnvironmentVariable = "RESTART_DEPLOYMENTS"
+	fetchOnly          Env.EnvironmentVariable = "FETCH_ONLY"
 )
 
 type Config struct{}
@@ -20,6 +27,59 @@ func NewConfig() *Config {
 	return &Config{}
 }
 
+func (c Config) Valid() error {
+	// Certificate Required
+	if c.Certificate() == "" {
+		return fmt.Errorf("certificate is required")
+	}
+
+	// Private Key Required
+	if c.PrivateKey() == "" {
+		return fmt.Errorf("private Key is required")
+	}
+
+	// Role ARN Required
+	if c.RoleArn() == "" {
+		return fmt.Errorf("role ARN is required")
+	}
+
+	if !regexp.MustCompile(`^arn:aws:iam::[0-9]{10,13}:role/[\w\D]*$`).MatchString(c.RoleArn()) {
+		return fmt.Errorf("role ARN %s is invalid", c.RoleArn())
+	}
+
+	if c.ProfileArn() == "" {
+		return fmt.Errorf("profile ARN is required")
+	}
+
+	if !regexp.MustCompile(`^arn:aws:rolesanywhere:[\w-]*:\d{10,12}:profile/[\w\D]*$`).MatchString(c.ProfileArn()) {
+		return fmt.Errorf("profile ARN %s is invalid", c.ProfileArn())
+	}
+
+	// Trusted Anchor ARN Required
+	if c.TrustedAnchor() == "" {
+		return fmt.Errorf("trusted anchor ARN is required")
+	}
+
+	if !regexp.MustCompile(`^arn:aws:rolesanywhere:[\w-]*:\d{10,12}:trust-anchor/[\w\D]*$`).MatchString(c.TrustedAnchor()) {
+		return fmt.Errorf("trusted anchor %s ARN is invalid", c.TrustedAnchor())
+	}
+
+	return nil
+}
+
+func (Config) BundleId() string {
+	v, err := base64.StdEncoding.DecodeString(bundleId.GetEnvString(""))
+	if err != nil {
+		return ""
+	}
+
+	return string(v)
+}
+
+func (Config) FetchOnly() bool {
+	return fetchOnly.GetEnvBool(false)
+}
+
 func (Config) Namespace() string {
 	return namespace.GetEnvString("")
 }
@@ -41,11 +101,21 @@ func (Config) TrustedAnchor() string {
 }
 
 func (Config) PrivateKey() string {
-	return privateKey.GetEnvString("")
+	v, err := base64.StdEncoding.DecodeString(privateKey.GetEnvString(""))
+	if err != nil {
+		return ""
+	}
+
+	return string(v)
 }
 
 func (Config) Certificate() string {
-	return certificate.GetEnvString("")
+	v, err := base64.StdEncoding.DecodeString(certificate.GetEnvString(""))
+	if err != nil {
+		return ""
+	}
+
+	return string(v)
 }
 
 func (Config) SessionDuration() int64 {

main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"encoding/base64"
 	helper "gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/aws_signing_helper"
 	"gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/cmd"
 	appConfig "gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/config"
@@ -18,35 +17,21 @@ func main() {
 		ReportTimestamp: true,
 		TimeFormat:      time.RFC3339,
 	})
+
 	l.Info("Starting credentials refresh")
 
-	client, err := kube_client.NewKubeClient()
-	if err != nil {
-		l.Error("Failed to create kubernetes client", "error", err)
-
-		os.Exit(1)
-	}
-
 	c := appConfig.NewConfig()
 
-	privateKey, err := base64.StdEncoding.DecodeString(c.PrivateKey())
+	err := c.Valid()
 	if err != nil {
-		l.Error("Failed to decode private key", "error", err)
-		os.Exit(1)
-	}
-
-	certificate, err := base64.StdEncoding.DecodeString(c.Certificate())
-	if err != nil {
-		l.Error("Failed to decode certificate", "error", err)
+		l.Error("Invalid configuration", "error", err)
 		os.Exit(1)
 	}
 
 	credentials, err := cmd.Run(&helper.CredentialsOpts{
-		PrivateKeyId:  string(privateKey),
-		CertificateId: string(certificate),
-		CertIdentifier: helper.CertIdentifier{
-			SystemStoreName: "MY",
-		},
+		PrivateKeyId:        c.PrivateKey(),
+		CertificateId:       c.Certificate(),
+		CertificateBundleId: c.BundleId(),
 		RoleArn:             c.RoleArn(),
 		ProfileArnStr:       c.ProfileArn(),
 		TrustAnchorArnStr:   c.TrustedAnchor(),
@@ -61,6 +46,22 @@ func main() {
 
 	l.Info("Credentials refreshed")
 
+	if c.FetchOnly() {
+		l.Info("Fetch only mode, skipping secret update")
+
+		l.Info("AccessKeyId", "access-key-id", credentials.AccessKeyId)
+		l.Info("SecretAccessKey", "secret-access-key", credentials.SecretAccessKey)
+		l.Info("SessionToken", "session-token", credentials.SessionToken)
+		os.Exit(0)
+	}
+
+	client, err := kube_client.NewKubeClient()
+	if err != nil {
+		l.Error("Failed to create kubernetes client", "error", err)
+
+		os.Exit(1)
+	}
+
 	_, err = client.GetSecret(c.Namespace(), c.Secret())
 	if err != nil {
 		l.Error("Failed to get secret", "error", err)