fix: streamline AWS session creation and improve error handling

Ash-exp · Ash-exp · commit 54c5450aedee · 2026-04-07T15:38:07.000+05:30
diff --git a/ci-runner/executor/util/envUtils.go b/ci-runner/executor/util/envUtils.go
@@ -19,13 +19,14 @@ package util
 import (
 	"encoding/json"
 	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
 	"github.com/caarlos0/env"
 	"github.com/devtron-labs/ci-runner/helper"
 	"github.com/devtron-labs/ci-runner/pubsub"
 	"github.com/devtron-labs/ci-runner/util"
-	"os"
-	"strconv"
-	"strings"
 )
 
 type ScriptEnvVariables struct {
@@ -96,6 +97,7 @@ func GetGlobalEnvVariables(ciCdRequest *helper.CiCdTriggerEvent) (*ScriptEnvVari
 		envs["ACCESS_KEY"] = ciCdRequest.CommonWorkflowRequest.AccessKey
 		envs["SECRET_KEY"] = ciCdRequest.CommonWorkflowRequest.SecretKey
 		envs["AWS_REGION"] = ciCdRequest.CommonWorkflowRequest.AwsRegion
+		envs["ASSUME_ROLE_ARN"] = ciCdRequest.CommonWorkflowRequest.AssumeRoleArn
 		envs["LAST_FETCHED_TIME"] = ciCdRequest.CommonWorkflowRequest.CiArtifactLastFetch.String()
 
 		//adding some envs for Image scanning plugin
diff --git a/ci-runner/helper/DockerHelper.go b/ci-runner/helper/DockerHelper.go
@@ -23,9 +23,21 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -39,18 +51,6 @@ import (
 	"github.com/devtron-labs/common-lib/utils/dockerOperations"
 	"github.com/devtron-labs/common-lib/utils/retryFunc"
 	"golang.org/x/sync/errgroup"
-	"io"
-	"io/ioutil"
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
 )
 
 const (
@@ -236,25 +236,22 @@ func (impl *DockerHelperImpl) DockerLogin(ciContext cicxt.CiContext, dockerCrede
 			accessKey, secretKey := dockerCredentials.AccessKey, dockerCredentials.SecretKey
 			//fmt.Printf("accessKey %s, secretKey %s\n", accessKey, secretKey)
 
-			var creds *credentials.Credentials
+			var sess *session.Session
+			var err error
 
-			if len(dockerCredentials.AccessKey) == 0 || len(dockerCredentials.SecretKey) == 0 {
-				//fmt.Println("empty accessKey or secretKey")
-				sess, err := session.NewSession(&aws.Config{
+			if len(accessKey) == 0 || len(secretKey) == 0 {
+				// Case 1: IAM role — use default credential chain (IRSA, instance profile, task role, env vars)
+				sess, err = session.NewSession(&aws.Config{
 					Region: &dockerCredentials.AwsRegion,
 				})
-				if err != nil {
-					log.Println(err)
-					return err
-				}
-				creds = ec2rolecreds.NewCredentials(sess)
 			} else {
-				creds = credentials.NewStaticCredentials(accessKey, secretKey, "")
+				// Case 2: Static credentials
+				creds := credentials.NewStaticCredentials(accessKey, secretKey, "")
+				sess, err = session.NewSession(&aws.Config{
+					Region:      &dockerCredentials.AwsRegion,
+					Credentials: creds,
+				})
 			}
-			sess, err := session.NewSession(&aws.Config{
-				Region:      &dockerCredentials.AwsRegion,
-				Credentials: creds,
-			})
 			if err != nil {
 				log.Println(err)
 				return err
diff --git a/common-lib/helmLib/registry/common.go b/common-lib/helmLib/registry/common.go
@@ -4,20 +4,20 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"fmt"
+	"log"
+	"math/rand"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/aws/aws-sdk-go/service/sts"
 	http2 "github.com/devtron-labs/common-lib/utils/http"
 	"helm.sh/helm/v3/pkg/registry"
-	"log"
-	"math/rand"
-	"net/http"
-	"net/url"
-	"os"
-	"strings"
 )
 
 func GetLoggedInClient(client *registry.Client, config *Configuration) (*registry.Client, error) {
@@ -96,26 +96,24 @@ func extractCredentialsForRegistry(config *Configuration) (string, string, error
 	}
 	if config.RegistryType == REGISTRY_TYPE_ECR {
 		accessKey, secretKey := config.AwsAccessKey, config.AwsSecretKey
-		var creds *credentials.Credentials
+		var sess *session.Session
+		var err error
 
-		if len(config.AwsAccessKey) == 0 || len(config.AwsSecretKey) == 0 {
-			sess, err := session.NewSession(&aws.Config{
+		if len(accessKey) == 0 || len(secretKey) == 0 {
+			// Case 1: IAM role — use default credential chain (IRSA, instance profile, task role, env vars)
+			sess, err = session.NewSession(&aws.Config{
 				Region: &config.AwsRegion,
 			})
-			if err != nil {
-				log.Printf("error in creating AWS client %w ", err)
-				return "", "", err
-			}
-			creds = ec2rolecreds.NewCredentials(sess)
 		} else {
-			creds = credentials.NewStaticCredentials(accessKey, secretKey, "")
+			// Case 2: Static credentials
+			creds := credentials.NewStaticCredentials(accessKey, secretKey, "")
+			sess, err = session.NewSession(&aws.Config{
+				Region:      &config.AwsRegion,
+				Credentials: creds,
+			})
 		}
-		sess, err := session.NewSession(&aws.Config{
-			Region:      &config.AwsRegion,
-			Credentials: creds,
-		})
 		if err != nil {
-			log.Printf("error in creating AWS client %w ", err)
+			log.Printf("error in creating AWS client %v ", err)
 			return "", "", err
 		}
 
@@ -149,14 +147,14 @@ func extractCredentialsForRegistry(config *Configuration) (string, string, error
 		input := &ecr.GetAuthorizationTokenInput{}
 		authData, err := svc.GetAuthorizationToken(input)
 		if err != nil {
-			log.Printf("error in creating AWS client %w ", err)
+			log.Printf("error in creating AWS client %v ", err)
 			return "", "", err
 		}
 		// decode token
 		token := authData.AuthorizationData[0].AuthorizationToken
 		decodedToken, err := base64.StdEncoding.DecodeString(*token)
 		if err != nil {
-			log.Printf("error in creating AWS client %w ", err)
+			log.Printf("error in creating AWS client %v ", err)
 			return "", "", err
 		}
 		credsSlice := strings.Split(string(decodedToken), ":")
diff --git a/common-lib/utils/registry/bean.go b/common-lib/utils/registry/bean.go
@@ -25,4 +25,5 @@ type RegistryCredential struct {
 	AWSAccessKeyId     string   `json:"awsAccessKeyId,omitempty"`
 	AWSSecretAccessKey string   `json:"awsSecretAccessKey,omitempty"`
 	AWSRegion          string   `json:"awsRegion,omitempty"`
+	AssumeRoleArn      string   `json:"assumeRoleArn,omitempty"`
 }
diff --git a/common-lib/utils/registry/extractCredentials.go b/common-lib/utils/registry/extractCredentials.go
@@ -3,12 +3,13 @@ package registry
 import (
 	"encoding/base64"
 	"fmt"
+	"strings"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
-	"strings"
+	"github.com/aws/aws-sdk-go/service/sts"
 )
 
 func ExtractCredentialsForRegistry(registryCredential *RegistryCredential) (string, string, error) {
@@ -24,28 +25,53 @@ func ExtractCredentialsForRegistry(registryCredential *RegistryCredential) (stri
 	}
 	if registryCredential.RegistryType == DOCKER_REGISTRY_TYPE_ECR {
 		accessKey, secretKey := registryCredential.AWSAccessKeyId, registryCredential.AWSSecretAccessKey
-		var creds *credentials.Credentials
+		var sess *session.Session
+		var err error
 
-		if len(registryCredential.AWSAccessKeyId) == 0 || len(registryCredential.AWSSecretAccessKey) == 0 {
-			sess, err := session.NewSession(&aws.Config{
+		if len(accessKey) == 0 || len(secretKey) == 0 {
+			// Case 1: IAM role — use default credential chain (IRSA, instance profile, task role, env vars)
+			sess, err = session.NewSession(&aws.Config{
 				Region: &registryCredential.AWSRegion,
 			})
-			if err != nil {
-				fmt.Printf("Error in creating AWS client", "err", err)
-				return "", "", err
-			}
-			creds = ec2rolecreds.NewCredentials(sess)
 		} else {
-			creds = credentials.NewStaticCredentials(accessKey, secretKey, "")
+			// Case 2: Static credentials
+			creds := credentials.NewStaticCredentials(accessKey, secretKey, "")
+			sess, err = session.NewSession(&aws.Config{
+				Region:      &registryCredential.AWSRegion,
+				Credentials: creds,
+			})
 		}
-		sess, err := session.NewSession(&aws.Config{
-			Region:      &registryCredential.AWSRegion,
-			Credentials: creds,
-		})
 		if err != nil {
 			fmt.Println("Error in creating AWS client session", "err", err)
 			return "", "", err
 		}
+
+		// Case 3: AssumeRole (cross-account) — layered on top of Case 1 or 2
+		if len(registryCredential.AssumeRoleArn) > 0 {
+			stsClient := sts.New(sess)
+			assumeOutput, err := stsClient.AssumeRole(&sts.AssumeRoleInput{
+				RoleArn:         aws.String(registryCredential.AssumeRoleArn),
+				RoleSessionName: aws.String("devtron-ecr-cross-account"),
+			})
+			if err != nil {
+				fmt.Printf("Error in assuming role %s: %v", registryCredential.AssumeRoleArn, err)
+				return "", "", err
+			}
+			assumedCreds := credentials.NewStaticCredentials(
+				*assumeOutput.Credentials.AccessKeyId,
+				*assumeOutput.Credentials.SecretAccessKey,
+				*assumeOutput.Credentials.SessionToken,
+			)
+			sess, err = session.NewSession(&aws.Config{
+				Region:      &registryCredential.AWSRegion,
+				Credentials: assumedCreds,
+			})
+			if err != nil {
+				fmt.Println("Error in creating AWS session with assumed role credentials", "err", err)
+				return "", "", err
+			}
+		}
+
 		svc := ecr.New(sess)
 		input := &ecr.GetAuthorizationTokenInput{}
 		authData, err := svc.GetAuthorizationToken(input)
diff --git a/image-scanner/pkg/klarService/KlarService.go b/image-scanner/pkg/klarService/KlarService.go
@@ -18,9 +18,10 @@ package klarService
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
 	bean2 "github.com/devtron-labs/common-lib/imageScan/bean"
@@ -29,18 +30,20 @@ import (
 	"github.com/devtron-labs/image-scanner/pkg/security"
 	"github.com/devtron-labs/image-scanner/pkg/sql/bean"
 	"github.com/devtron-labs/image-scanner/pkg/sql/repository"
-	"strings"
 
 	"errors"
+
+	"time"
+
 	"github.com/caarlos0/env/v6"
+
 	/*"github.com/devtron-labs/image-scanner/client"*/
 	/*"github.com/devtron-labs/image-scanner/client"*/
 	"github.com/devtron-labs/image-scanner/pkg/grafeasService"
 	"github.com/optiopay/klar/clair"
 	"github.com/optiopay/klar/docker"
 	"go.uber.org/zap"
 	"golang.org/x/oauth2/google"
-	"time"
 )
 
 type KlarConfig struct {
@@ -114,23 +117,21 @@ func (impl *KlarServiceImpl) Process(scanEvent *bean2.ImageScanEvent, executionH
 	tokenAddr := &tokenData
 	if dockerRegistry.RegistryType == repository.REGISTRYTYPE_ECR {
 		accessKey, secretKey := dockerRegistry.AWSAccessKeyId, dockerRegistry.AWSSecretAccessKey.String()
-		var creds *credentials.Credentials
-		if len(dockerRegistry.AWSAccessKeyId) == 0 || len(dockerRegistry.AWSSecretAccessKey) == 0 {
-			sess, err := session.NewSession(&aws.Config{
+		var sess *session.Session
+		var err error
+		if len(accessKey) == 0 || len(secretKey) == 0 {
+			// Case 1: IAM role — use default credential chain (IRSA, instance profile, task role, env vars)
+			sess, err = session.NewSession(&aws.Config{
 				Region: &dockerRegistry.AWSRegion,
 			})
-			if err != nil {
-				impl.logger.Errorw("error in starting aws new session", "err", err)
-				return nil, err
-			}
-			creds = ec2rolecreds.NewCredentials(sess)
 		} else {
-			creds = credentials.NewStaticCredentials(accessKey, secretKey, "")
+			// Case 2: Static credentials
+			creds := credentials.NewStaticCredentials(accessKey, secretKey, "")
+			sess, err = session.NewSession(&aws.Config{
+				Region:      &dockerRegistry.AWSRegion,
+				Credentials: creds,
+			})
 		}
-		sess, err := session.NewSession(&aws.Config{
-			Region:      &dockerRegistry.AWSRegion,
-			Credentials: creds,
-		})
 		if err != nil {
 			impl.logger.Errorw("error in starting aws new session", "err", err)
 			return nil, err
diff --git a/image-scanner/pkg/roundTripper/RoundTripperService.go b/image-scanner/pkg/roundTripper/RoundTripperService.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -116,23 +115,21 @@ func (impl *RoundTripperServiceImpl) GetAuthenticatorByDockerRegistryId(dockerRe
 	}
 	if dockerRegistry.RegistryType == repository.REGISTRYTYPE_ECR {
 		accessKey, secretKey := dockerRegistry.AWSAccessKeyId, dockerRegistry.AWSSecretAccessKey.String()
-		var creds *credentials.Credentials
-		if len(dockerRegistry.AWSAccessKeyId) == 0 || len(dockerRegistry.AWSSecretAccessKey) == 0 {
-			sess, err := session.NewSession(&aws.Config{
+		var sess *session.Session
+		var err error
+		if len(accessKey) == 0 || len(secretKey) == 0 {
+			// Case 1: IAM role — use default credential chain (IRSA, instance profile, task role, env vars)
+			sess, err = session.NewSession(&aws.Config{
 				Region: &dockerRegistry.AWSRegion,
 			})
-			if err != nil {
-				impl.Logger.Errorw("error in starting aws new session", "err", err)
-				return nil, nil, err
-			}
-			creds = ec2rolecreds.NewCredentials(sess)
 		} else {
-			creds = credentials.NewStaticCredentials(accessKey, secretKey, "")
+			// Case 2: Static credentials
+			creds := credentials.NewStaticCredentials(accessKey, secretKey, "")
+			sess, err = session.NewSession(&aws.Config{
+				Region:      &dockerRegistry.AWSRegion,
+				Credentials: creds,
+			})
 		}
-		sess, err := session.NewSession(&aws.Config{
-			Region:      &dockerRegistry.AWSRegion,
-			Credentials: creds,
-		})
 		if err != nil {
 			impl.Logger.Errorw("error in starting aws new session", "err", err)
 			return nil, nil, err

Original file line number	Diff line number	Diff line change
`@@ -25,4 +25,5 @@ type RegistryCredential struct {`
`25`	`25`	AWSAccessKeyId string `json:"awsAccessKeyId,omitempty"`
`26`	`26`	AWSSecretAccessKey string `json:"awsSecretAccessKey,omitempty"`
`27`	`27`	AWSRegion string `json:"awsRegion,omitempty"`
	`28`	+ AssumeRoleArn string `json:"assumeRoleArn,omitempty"`
`28`	`29`	`}`