argoproj · alexec · Mar 19, 2020 · Mar 18, 2020 · Mar 18, 2020 · Mar 18, 2020
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -2435,6 +2435,11 @@
         "secretKeySecret": {
           "title": "SecretKeySecret is the secret selector to the bucket's secret key",
           "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector"
+        },
+        "useSDKCreds": {
+          "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults.",
+          "type": "boolean",
+          "format": "boolean"
         }
       }
     },

diff --git a/docs/configure-artifact-repository.md b/docs/configure-artifact-repository.md
@@ -123,6 +123,7 @@ data:
         secretKeySecret:                #omit if accessing via AWS IAM
           name: my-minio-cred
           key: secretkey
+        useSDKCreds: true               #tells argo to use AWS SDK's default provider chain, enable for things like IRSA support
 ```
 The secrets are retrieved from the namespace you use to run your workflows. Note that you can specify a `keyPrefix`.
 

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/aliyun/aliyun-oss-go-sdk v2.0.6+incompatible
-	github.com/argoproj/pkg v0.0.0-20200226231057-d69f0b04da65
+	github.com/argoproj/pkg v0.0.0-20200318225345-d3be5f29b1a8
 	github.com/aws/aws-sdk-go v1.27.1 // indirect
 	github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f // indirect
 	github.com/beorn7/perks v1.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -41,8 +41,8 @@ github.com/aliyun/aliyun-oss-go-sdk v2.0.6+incompatible/go.mod h1:T/Aws4fEfogEE9
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
-github.com/argoproj/pkg v0.0.0-20200226231057-d69f0b04da65 h1:bBC9exkuWvqhyDDhoNr66BpE6B4f+vxxKIXKxg6E6us=
-github.com/argoproj/pkg v0.0.0-20200226231057-d69f0b04da65/go.mod h1:2EZ44RG/CcgtPTwrRR0apOc7oU6UIw8GjCUJWZ8X3bM=
+github.com/argoproj/pkg v0.0.0-20200318145624-4a09c98c01ea h1:YZl3PlsfTujZsiOK3Uhf+KemT5z2pVlfzJdrU0S1qEw=
+github.com/argoproj/pkg v0.0.0-20200318145624-4a09c98c01ea/go.mod h1:2EZ44RG/CcgtPTwrRR0apOc7oU6UIw8GjCUJWZ8X3bM=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU=

diff --git a/pkg/apiclient/cronworkflow/cron-workflow.swagger.json b/pkg/apiclient/cronworkflow/cron-workflow.swagger.json
@@ -1252,6 +1252,11 @@
         "roleARN": {
           "type": "string",
           "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+        },
+        "useSDKCreds": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
         }
       },
       "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apiclient/workflow/workflow.swagger.json b/pkg/apiclient/workflow/workflow.swagger.json
@@ -1621,6 +1621,11 @@
         "roleARN": {
           "type": "string",
           "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+        },
+        "useSDKCreds": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
         }
       },
       "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apiclient/workflowarchive/workflow-archive.swagger.json b/pkg/apiclient/workflowarchive/workflow-archive.swagger.json
@@ -1052,6 +1052,11 @@
         "roleARN": {
           "type": "string",
           "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+        },
+        "useSDKCreds": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
         }
       },
       "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apiclient/workflowtemplate/workflow-template.swagger.json b/pkg/apiclient/workflowtemplate/workflow-template.swagger.json
@@ -1120,6 +1120,11 @@
         "roleARN": {
           "type": "string",
           "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+        },
+        "useSDKCreds": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
         }
       },
       "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apis/workflow/v1alpha1/workflow_types.go b/pkg/apis/workflow/v1alpha1/workflow_types.go
@@ -1151,6 +1151,9 @@ type S3Bucket struct {
 
 	// RoleARN is the Amazon Resource Name (ARN) of the role to assume.
 	RoleARN string `json:"roleARN,omitempty" protobuf:"bytes,7,opt,name=roleARN"`
+
+	// UseSDKCreds tells the driver to figure out credentials based on sdk defaults.
+	UseSDKCreds bool `json:"useSDKCreds,omitempty" protobuf:"varint,8,opt,name=useSDKCreds"`
 }
 
 // S3Artifact is the location of an S3 artifact

diff --git a/workflow/artifacts/artifacts.go b/workflow/artifacts/artifacts.go
@@ -46,12 +46,13 @@ func NewDriver(art *wfv1.Artifact, ri resource.Interface) (ArtifactDriver, error
 		}
 
 		driver := s3.S3ArtifactDriver{
-			Endpoint:  art.S3.Endpoint,
-			AccessKey: accessKey,
-			SecretKey: secretKey,
-			Secure:    art.S3.Insecure == nil || !*art.S3.Insecure,
-			Region:    art.S3.Region,
-			RoleARN:   art.S3.RoleARN,
+			Endpoint:    art.S3.Endpoint,
+			AccessKey:   accessKey,
+			SecretKey:   secretKey,
+			Secure:      art.S3.Insecure == nil || !*art.S3.Insecure,
+			Region:      art.S3.Region,
+			RoleARN:     art.S3.RoleARN,
+			UseSDKCreds: art.S3.UseSDKCreds,
 		}
 		return &driver, nil
 	}

diff --git a/workflow/artifacts/s3/s3.go b/workflow/artifacts/s3/s3.go
@@ -16,24 +16,26 @@ import (
 
 // S3ArtifactDriver is a driver for AWS S3
 type S3ArtifactDriver struct {
-	Endpoint  string
-	Region    string
-	Secure    bool
-	AccessKey string
-	SecretKey string
-	RoleARN   string
+	Endpoint    string
+	Region      string
+	Secure      bool
+	AccessKey   string
+	SecretKey   string
+	RoleARN     string
+	UseSDKCreds bool
 }
 
 // newMinioClient instantiates a new minio client object.
 func (s3Driver *S3ArtifactDriver) newS3Client() (argos3.S3Client, error) {
 	opts := argos3.S3ClientOpts{
-		Endpoint:  s3Driver.Endpoint,
-		Region:    s3Driver.Region,
-		Secure:    s3Driver.Secure,
-		AccessKey: s3Driver.AccessKey,
-		SecretKey: s3Driver.SecretKey,
-		RoleARN:   s3Driver.RoleARN,
-		Trace:     os.Getenv(common.EnvVarArgoTrace) == "1",
+		Endpoint:    s3Driver.Endpoint,
+		Region:      s3Driver.Region,
+		Secure:      s3Driver.Secure,
+		AccessKey:   s3Driver.AccessKey,
+		SecretKey:   s3Driver.SecretKey,
+		RoleARN:     s3Driver.RoleARN,
+		Trace:       os.Getenv(common.EnvVarArgoTrace) == "1",
+		UseSDKCreds: s3Driver.UseSDKCreds,
 	}
 	return argos3.NewS3Client(opts)
 }