add aws secret handling (#161)

* add aws secret handling * make it look go-ish * fix tests * whitespace * sleep a bit
2025-11-29 05:46:50 +02:00 · 2022-10-12 19:14:57 +02:00
parent 00c83dfac7
commit b5cc1262e2
6 changed files with 202 additions and 2 deletions
--- a/cmd/backup/config.go
+++ b/cmd/backup/config.go
@@ -4,6 +4,7 @@
 package main

 import (
+	"os"
 	"fmt"
 	"regexp"
 	"time"
@@ -19,7 +20,9 @@ type Config struct {
 	AwsEndpointInsecure        bool          `split_words:"true"`
 	AwsStorageClass            string        `split_words:"true"`
 	AwsAccessKeyID             string        `envconfig:"AWS_ACCESS_KEY_ID"`
+	AwsAccessKeyIDFile         string        `envconfig:"AWS_ACCESS_KEY_ID_FILE"`
 	AwsSecretAccessKey         string        `split_words:"true"`
+	AwsSecretAccessKeyFile     string        `split_words:"true"`
 	AwsIamRoleEndpoint         string        `split_words:"true"`
 	BackupSources              string        `split_words:"true" default:"/backup"`
 	BackupFilename             string        `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
@@ -58,6 +61,17 @@ type Config struct {
 	LockTimeout                time.Duration `split_words:"true" default:"60m"`
 }

+func (c *Config) resolveSecret(envVar string, secretPath string) (string, error) {
+	if secretPath != "" {
+		data, err := os.ReadFile(secretPath)
+		if err != nil {
+			return "", fmt.Errorf("resolveSecret: error reading secret path: %w", err)
+		}
+		return string(data), nil
+	}
+	return envVar, nil
+}
+
 type RegexpDecoder struct {
 	Re *regexp.Regexp
 }
--- a/cmd/backup/script.go
+++ b/cmd/backup/script.go
@@ -121,10 +121,18 @@ func newScript() (*script, error) {
 	}

 	if s.c.AwsS3BucketName != "" {
+		accessKeyID, err := s.c.resolveSecret(s.c.AwsAccessKeyID, s.c.AwsAccessKeyIDFile)
+		if err != nil {
+			return nil, fmt.Errorf("newScript: error resolving AwsAccessKeyID: %w", err)
+		}
+		secretAccessKey, err := s.c.resolveSecret(s.c.AwsSecretAccessKey, s.c.AwsSecretAccessKeyFile)
+		if err != nil {
+			return nil, fmt.Errorf("newScript: error resolving AwsSecretAccessKey: %w", err)
+		}
 		s3Config := s3.Config{
 			Endpoint:         s.c.AwsEndpoint,
-			AccessKeyID:      s.c.AwsAccessKeyID,
-			SecretAccessKey:  s.c.AwsSecretAccessKey,
+			AccessKeyID:      accessKeyID,
+			SecretAccessKey:  secretAccessKey,
 			IamRoleEndpoint:  s.c.AwsIamRoleEndpoint,
 			EndpointProto:    s.c.AwsEndpointProto,
 			EndpointInsecure: s.c.AwsEndpointInsecure,