Enable AWS IAM instance profiles configuration for Storage CLI (#629)

jochenehret · web-flow · commit cc1bf6b57af8 · 2026-03-12T12:22:58.000+01:00
diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_buildpacks.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_droplets.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_packages.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb b/jobs/blobstore_benchmark/templates/storage_cli_config_resource_pool.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_buildpacks.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_droplets.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_packages.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb b/jobs/cc_deployment_updater/templates/storage_cli_config_resource_pool.json.erb
@@ -46,10 +46,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = l.p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if l.p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = l.p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = l.p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", l.p("#{scope}.folder_name", nil))
   add_optional(options, "host", l.p("#{scope}.host", nil))
   add_optional(options, "port", l.p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_buildpacks.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_droplets.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_packages.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_clock/templates/storage_cli_config_resource_pool.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_buildpacks.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_droplets.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_packages.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_ng/templates/storage_cli_config_resource_pool.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_buildpacks.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_droplets.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_packages.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb b/jobs/cloud_controller_worker/templates/storage_cli_config_resource_pool.json.erb
@@ -44,10 +44,14 @@ end
 
 if provider == "AWS"
   options["provider"] = provider
-  options["access_key_id"] = p("#{scope}.aws_access_key_id")
-  options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
   options["bucket_name"] = p("#{scope}.bucket_name")
-  options["credentials_source"] = "static"
+  if p("#{scope}.use_iam_profile", false)
+    options["credentials_source"] = "env_or_profile"
+  else
+    options["credentials_source"] = "static"
+    options["access_key_id"] = p("#{scope}.aws_access_key_id")
+    options["secret_access_key"] = p("#{scope}.aws_secret_access_key")
+  end
   add_optional(options, "folder_name", p("#{scope}.folder_name", nil))
   add_optional(options, "host", p("#{scope}.host", nil))
   add_optional(options, "port", p("#{scope}.port", nil))
diff --git a/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb b/spec/cc_deployment_updater/storage_cli_config_jsons_spec.rb
diff --git a/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_clock/storage_cli_config_jsons_spec.rb
diff --git a/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_ng/storage_cli_config_jsons_spec.rb
diff --git a/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb b/spec/cloud_controller_worker/storage_cli_config_jsons_spec.rb
