From e117ae60fe8adb64fc3221b3119a681aff973ca1 Mon Sep 17 00:00:00 2001
From: Ilya Verbitskiy <ilya@verbit.io>
Date: Sun, 2 Aug 2020 17:36:40 +0200
Subject: [PATCH] oidc: ignore default AWS config

This commit makes the aws-cli-oidc tool ignore all the default AWS
configurations like env vars, credential files, and config files. This
fixes a circular dependency where the OIDC tool tries to analyze the
profile configrations which in turn rely on an already executed
(aws-cli-oidc) credential process.
---
 internal/aws_oidc.go | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/internal/aws_oidc.go b/internal/aws_oidc.go
index f1489fa..324a5fa 100755
--- a/internal/aws_oidc.go
+++ b/internal/aws_oidc.go
@@ -1,6 +1,7 @@
 package internal
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -8,9 +9,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sts"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/defaults"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 )
 
 const expiryDelta = 10 * time.Second
@@ -68,13 +69,6 @@ func GetCredentialsWithOIDC(client *OIDCClient, idToken string, roleARN string,
 }
 
 func assumeRoleWithWebIdentity(client *OIDCClient, idToken string, roleARN string, durationSeconds int64) (*AWSCredentials, error) {
-	sess, err := session.NewSession()
-	if err != nil {
-		return nil, fmt.Errorf("failed to create session: %v", err)
-	}
-
-	svc := sts.New(sess)
-
 	username := os.Getenv("USER")
 	split := strings.SplitN(roleARN, "/", 2)
 	rolename := client.name
@@ -84,12 +78,15 @@ func assumeRoleWithWebIdentity(client *OIDCClient, idToken string, roleARN strin
 
 	log.Println("Requesting AWS credentials using ID Token")
 
-	resp, err := svc.AssumeRoleWithWebIdentity(&sts.AssumeRoleWithWebIdentityInput{
+	cfg := defaults.Config()
+	cfg.Region = "eu-central-1"
+	req := sts.New(cfg).AssumeRoleWithWebIdentityRequest(&sts.AssumeRoleWithWebIdentityInput{
 		RoleArn:          aws.String(roleARN),
 		RoleSessionName:  aws.String(username + "@" + rolename),
 		WebIdentityToken: aws.String(idToken),
 		DurationSeconds:  aws.Int64(durationSeconds),
 	})
+	resp, err := req.Send(context.Background())
 	if err != nil {
 		return nil, fmt.Errorf("error retrieving STS credentials using ID Token: %v", err)
 	}