omnibus 6.0.30 → 7.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (82) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +2 -1
  3. data/README.md +24 -8
  4. data/Rakefile +1 -1
  5. data/lib/omnibus/build_version_dsl.rb +1 -0
  6. data/lib/omnibus/builder.rb +6 -5
  7. data/lib/omnibus/changelog_printer.rb +7 -4
  8. data/lib/omnibus/cleaner.rb +3 -0
  9. data/lib/omnibus/cli.rb +1 -1
  10. data/lib/omnibus/cli/changelog.rb +24 -24
  11. data/lib/omnibus/cli/publish.rb +5 -5
  12. data/lib/omnibus/compressor.rb +2 -2
  13. data/lib/omnibus/compressors/base.rb +1 -1
  14. data/lib/omnibus/compressors/dmg.rb +45 -7
  15. data/lib/omnibus/config.rb +12 -2
  16. data/lib/omnibus/fetchers/git_fetcher.rb +1 -0
  17. data/lib/omnibus/fetchers/net_fetcher.rb +2 -3
  18. data/lib/omnibus/file_syncer.rb +2 -2
  19. data/lib/omnibus/generator_files/README.md.erb +18 -15
  20. data/lib/omnibus/generator_files/config/software/preparation.rb.erb +1 -1
  21. data/lib/omnibus/generator_files/omnibus.rb.erb +5 -4
  22. data/lib/omnibus/health_check.rb +1 -1
  23. data/lib/omnibus/licensing.rb +3 -4
  24. data/lib/omnibus/logger.rb +2 -1
  25. data/lib/omnibus/manifest.rb +1 -1
  26. data/lib/omnibus/metadata.rb +2 -2
  27. data/lib/omnibus/packagers/appx.rb +1 -2
  28. data/lib/omnibus/packagers/base.rb +1 -0
  29. data/lib/omnibus/packagers/bff.rb +6 -8
  30. data/lib/omnibus/packagers/deb.rb +7 -10
  31. data/lib/omnibus/packagers/ips.rb +3 -6
  32. data/lib/omnibus/packagers/makeself.rb +1 -2
  33. data/lib/omnibus/packagers/msi.rb +12 -11
  34. data/lib/omnibus/packagers/pkg.rb +125 -9
  35. data/lib/omnibus/packagers/rpm.rb +11 -12
  36. data/lib/omnibus/packagers/solaris.rb +4 -4
  37. data/lib/omnibus/packagers/windows_base.rb +7 -6
  38. data/lib/omnibus/project.rb +1 -0
  39. data/lib/omnibus/publisher.rb +14 -12
  40. data/lib/omnibus/publishers/s3_publisher.rb +6 -4
  41. data/lib/omnibus/s3_cache.rb +3 -1
  42. data/lib/omnibus/s3_helpers.rb +6 -6
  43. data/lib/omnibus/software.rb +66 -30
  44. data/lib/omnibus/templating.rb +1 -1
  45. data/lib/omnibus/util.rb +3 -2
  46. data/lib/omnibus/version.rb +1 -1
  47. data/lib/omnibus/whitelist.rb +6 -1
  48. data/omnibus.gemspec +6 -6
  49. data/resources/rpm/signing.erb +7 -10
  50. data/spec/functional/builder_spec.rb +2 -1
  51. data/spec/functional/fetchers/file_fetcher_spec.rb +4 -4
  52. data/spec/functional/fetchers/git_fetcher_spec.rb +4 -4
  53. data/spec/functional/fetchers/net_fetcher_spec.rb +5 -6
  54. data/spec/functional/fetchers/path_fetcher_spec.rb +4 -4
  55. data/spec/functional/file_syncer_spec.rb +42 -0
  56. data/spec/functional/licensing_spec.rb +5 -5
  57. data/spec/support/examples.rb +3 -4
  58. data/spec/unit/builder_spec.rb +9 -9
  59. data/spec/unit/changelogprinter_spec.rb +8 -6
  60. data/spec/unit/compressor_spec.rb +3 -3
  61. data/spec/unit/compressors/dmg_spec.rb +43 -4
  62. data/spec/unit/fetchers/net_fetcher_spec.rb +16 -17
  63. data/spec/unit/health_check_spec.rb +2 -6
  64. data/spec/unit/library_spec.rb +2 -1
  65. data/spec/unit/manifest_diff_spec.rb +2 -2
  66. data/spec/unit/manifest_spec.rb +1 -1
  67. data/spec/unit/metadata_spec.rb +9 -11
  68. data/spec/unit/omnibus_spec.rb +1 -1
  69. data/spec/unit/packagers/bff_spec.rb +2 -2
  70. data/spec/unit/packagers/msi_spec.rb +2 -2
  71. data/spec/unit/packagers/pkg_spec.rb +354 -0
  72. data/spec/unit/packagers/pkgsrc_spec.rb +1 -1
  73. data/spec/unit/packagers/solaris_spec.rb +7 -7
  74. data/spec/unit/project_spec.rb +2 -2
  75. data/spec/unit/publisher_spec.rb +8 -9
  76. data/spec/unit/publishers/artifactory_publisher_spec.rb +2 -4
  77. data/spec/unit/publishers/s3_publisher_spec.rb +2 -4
  78. data/spec/unit/s3_cacher_spec.rb +19 -6
  79. data/spec/unit/s3_helpers_spec.rb +22 -3
  80. data/spec/unit/software_spec.rb +72 -42
  81. data/spec/unit/util_spec.rb +1 -2
  82. metadata +17 -11
@@ -44,8 +44,7 @@ module Omnibus
44
44
  maintainer: project.maintainer,
45
45
  build_version: project.build_version,
46
46
  package_name: project.package_name,
47
- }
48
- )
47
+ })
49
48
 
50
49
  # Render the welcome template
51
50
  render_template(resource_path("welcome.html.erb"),
@@ -56,8 +55,7 @@ module Omnibus
56
55
  maintainer: project.maintainer,
57
56
  build_version: project.build_version,
58
57
  package_name: project.package_name,
59
- }
60
- )
58
+ })
61
59
 
62
60
  # "Render" the assets
63
61
  copy_file(resource_path("background.png"), "#{resources_dir}/background.png")
@@ -66,6 +64,8 @@ module Omnibus
66
64
  build do
67
65
  write_scripts
68
66
 
67
+ sign_software_libs_and_bins
68
+
69
69
  build_component_pkg
70
70
 
71
71
  write_distribution_file
@@ -179,6 +179,67 @@ module Omnibus
179
179
  end
180
180
  end
181
181
 
182
+ def sign_software_libs_and_bins
183
+ if signing_identity
184
+ log.info(log_key) { "Finding libraries and binaries that require signing." }
185
+
186
+ bin_dirs = Set[]
187
+ lib_dirs = Set[]
188
+ binaries = Set[]
189
+ libraries = Set[]
190
+
191
+ # Capture lib_dirs and bin_dirs from each software
192
+ project.softwares.each do |software|
193
+ lib_dirs.merge(software.lib_dirs)
194
+ bin_dirs.merge(software.bin_dirs)
195
+ end
196
+
197
+ # Find all binaries in each bind_dir
198
+ bin_dirs.each do |dir|
199
+ binaries.merge Dir["#{dir}/*"]
200
+ end
201
+ # Filter out symlinks, non-files, and non-executables
202
+ log.debug(log_key) { " Filtering non-binary files:" }
203
+ binaries.select! { |bin| is_binary?(bin) }
204
+
205
+ # Use otool to find all libries that are used by our binaries
206
+ binaries.each do |bin|
207
+ libraries.merge find_linked_libs bin
208
+ end
209
+
210
+ # Find all libraries in each lib_dir and add any we missed with otool
211
+ lib_dirs.each do |dir|
212
+ libraries.merge Dir["#{dir}/*"]
213
+ end
214
+
215
+ # Filter Mach-O libraries and bundles
216
+ log.debug(log_key) { " Filtering non-library files:" }
217
+ libraries.select! { |lib| is_macho?(lib) }
218
+
219
+ # Use otool to find all libries that are used by our libraries
220
+ otool_libs = Set[]
221
+ libraries.each do |lib|
222
+ otool_libs.merge find_linked_libs lib
223
+ end
224
+
225
+ # Filter Mach-O libraries and bundles
226
+ otool_libs.select! { |lib| is_macho?(lib) }
227
+ libraries.merge otool_libs
228
+
229
+ log.info(log_key) { " Signing libraries:" } unless libraries.empty?
230
+ libraries.each do |library|
231
+ log.debug(log_key) { " Signing: #{library}" }
232
+ sign_library(library)
233
+ end
234
+
235
+ log.info(log_key) { " Signing binaries:" } unless binaries.empty?
236
+ binaries.each do |binary|
237
+ log.debug(log_key) { " Signing: #{binary}" }
238
+ sign_binary(binary, true)
239
+ end
240
+ end
241
+ end
242
+
182
243
  #
183
244
  # Construct the intermediate build product. It can be installed with the
184
245
  # Installer.app, but doesn't contain the data needed to customize the
@@ -187,16 +248,20 @@ module Omnibus
187
248
  # @return [void]
188
249
  #
189
250
  def build_component_pkg
190
- command = <<-EOH.gsub(/^ {8}/, "")
251
+ command = <<~EOH
191
252
  pkgbuild \\
192
253
  --identifier "#{safe_identifier}" \\
193
254
  --version "#{safe_version}" \\
194
255
  --scripts "#{scripts_dir}" \\
195
256
  --root "#{project.install_dir}" \\
196
257
  --install-location "#{project.install_dir}" \\
197
- "#{component_pkg}"
258
+ --preserve-xattr \\
198
259
  EOH
199
260
 
261
+ command << %Q{ --sign "#{signing_identity}" \\\n} if signing_identity
262
+ command << %Q{ "#{component_pkg}"}
263
+ command << %Q{\n}
264
+
200
265
  Dir.chdir(staging_dir) do
201
266
  shellout!(command)
202
267
  end
@@ -221,8 +286,7 @@ module Omnibus
221
286
  identifier: safe_identifier,
222
287
  version: safe_version,
223
288
  component_pkg: component_pkg,
224
- }
225
- )
289
+ })
226
290
  end
227
291
 
228
292
  #
@@ -232,7 +296,7 @@ module Omnibus
232
296
  # @return [void]
233
297
  #
234
298
  def build_product_pkg
235
- command = <<-EOH.gsub(/^ {8}/, "")
299
+ command = <<~EOH
236
300
  productbuild \\
237
301
  --distribution "#{staging_dir}/Distribution" \\
238
302
  --resources "#{resources_dir}" \\
@@ -323,5 +387,57 @@ module Omnibus
323
387
  converted
324
388
  end
325
389
  end
390
+
391
+ #
392
+ # Given a file path return any linked libraries.
393
+ #
394
+ # @param [String] file_path
395
+ # The path to a file
396
+ # @return [Array<String>]
397
+ # The linked libs
398
+ #
399
+ def find_linked_libs(file_path)
400
+ # Find all libaries for each bin
401
+ command = "otool -L #{file_path}"
402
+
403
+ stdout = shellout!(command).stdout
404
+ stdout.slice!(file_path)
405
+ stdout.scan(/#{install_dir}\S*/)
406
+ end
407
+
408
+ def sign_library(lib)
409
+ sign_binary(lib)
410
+ end
411
+
412
+ def sign_binary(bin, hardened_runtime = false)
413
+ command = "codesign -s '#{signing_identity}' '#{bin}'"
414
+ command << %q{ --options=runtime} if hardened_runtime
415
+ command << %Q{ --entitlements #{resource_path("entitlements.plist")}} if File.exist?(resource_path("entitlements.plist")) && hardened_runtime
416
+ ## Force re-signing to deal with binaries that have the same sha.
417
+ command << %q{ --force}
418
+ command << %Q{\n}
419
+
420
+ shellout!(command)
421
+ end
422
+
423
+ def is_binary?(bin)
424
+ is_binary = File.file?(bin) &&
425
+ File.executable?(bin) &&
426
+ !File.symlink?(bin)
427
+ log.debug(log_key) { " removing from signing: #{bin}" } unless is_binary
428
+ is_binary
429
+ end
430
+
431
+ def is_macho?(lib)
432
+ is_macho = false
433
+ if is_binary?(lib)
434
+ command = "file #{lib}"
435
+
436
+ stdout = shellout!(command).stdout
437
+ is_macho = stdout.match?(/Mach-O.*library/) || stdout.match?(/Mach-O.*bundle/)
438
+ end
439
+ log.debug(log_key) { " removing from signing: #{lib}" } unless is_macho
440
+ is_macho
441
+ end
326
442
  end
327
443
  end
@@ -243,7 +243,7 @@ module Omnibus
243
243
  if null?(val)
244
244
  @compression_type || :gzip
245
245
  else
246
- unless val.is_a?(Symbol) && [:gzip, :bzip2, :xz].member?(val)
246
+ unless val.is_a?(Symbol) && %i{gzip bzip2 xz}.member?(val)
247
247
  raise InvalidValue.new(:compression_type, "be a Symbol (:gzip, :bzip2, or :xz)")
248
248
  end
249
249
 
@@ -317,7 +317,7 @@ module Omnibus
317
317
  # @return [Array]
318
318
  #
319
319
  def filesystem_directories
320
- @filesystem_directories ||= IO.readlines(resource_path("filesystem_list")).map { |f| f.chomp }
320
+ @filesystem_directories ||= IO.readlines(resource_path("filesystem_list")).map(&:chomp)
321
321
  end
322
322
 
323
323
  #
@@ -356,7 +356,7 @@ module Omnibus
356
356
 
357
357
  # Get a list of all files
358
358
  files = FileSyncer.glob("#{build_dir}/**/*")
359
- .map { |path| build_filepath(path) }
359
+ .map { |path| build_filepath(path) }
360
360
 
361
361
  render_template(resource_path("spec.erb"),
362
362
  destination: spec_file,
@@ -383,8 +383,7 @@ module Omnibus
383
383
  build_dir: build_dir,
384
384
  platform_family: Ohai["platform_family"],
385
385
  compression: compression,
386
- }
387
- )
386
+ })
388
387
  end
389
388
 
390
389
  #
@@ -422,8 +421,8 @@ module Omnibus
422
421
  if signing_passphrase
423
422
  log.info(log_key) { "Signing enabled for .rpm file" }
424
423
 
425
- if File.exist?("#{ENV['HOME']}/.rpmmacros")
426
- log.info(log_key) { "Detected .rpmmacros file at `#{ENV['HOME']}'" }
424
+ if File.exist?("#{ENV["HOME"]}/.rpmmacros")
425
+ log.info(log_key) { "Detected .rpmmacros file at `#{ENV["HOME"]}'" }
427
426
  home = ENV["HOME"]
428
427
  else
429
428
  log.info(log_key) { "Using default .rpmmacros file from Omnibus" }
@@ -435,9 +434,8 @@ module Omnibus
435
434
  destination: "#{home}/.rpmmacros",
436
435
  variables: {
437
436
  gpg_name: project.maintainer,
438
- gpg_path: "#{ENV['HOME']}/.gnupg", # TODO: Make this configurable
439
- }
440
- )
437
+ gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable
438
+ })
441
439
  end
442
440
 
443
441
  command << " --sign"
@@ -466,11 +464,13 @@ module Omnibus
466
464
  def build_filepath(path)
467
465
  filepath = rpm_safe("/" + path.gsub("#{build_dir}/", ""))
468
466
  return if config_files.include?(filepath)
467
+
469
468
  full_path = build_dir + filepath.gsub("[%]", "%")
470
469
  # FileSyncer.glob quotes pathnames that contain spaces, which is a problem on el7
471
470
  full_path.delete!('"')
472
471
  # Mark directories with the %dir directive to prevent rpmbuild from counting their contents twice.
473
472
  return mark_filesystem_directories(filepath) if !File.symlink?(full_path) && File.directory?(full_path)
473
+
474
474
  filepath
475
475
  end
476
476
 
@@ -502,8 +502,7 @@ module Omnibus
502
502
  mode: 0700,
503
503
  variables: {
504
504
  passphrase: signing_passphrase,
505
- }
506
- )
505
+ })
507
506
 
508
507
  # Yield the destination to the block
509
508
  yield(destination)
@@ -76,7 +76,7 @@ module Omnibus
76
76
  # Generate a Prototype file for solaris build
77
77
  #
78
78
  def write_prototype_file
79
- shellout! "cd #{install_dirname} && find #{install_basename} -print > #{staging_dir_path('files')}"
79
+ shellout! "cd #{install_dirname} && find #{install_basename} -print > #{staging_dir_path("files")}"
80
80
 
81
81
  File.open staging_dir_path("files.clean"), "w+" do |fout|
82
82
  File.open staging_dir_path("files") do |fin|
@@ -100,10 +100,10 @@ module Omnibus
100
100
  end
101
101
 
102
102
  # generate the prototype's file list
103
- shellout! "cd #{install_dirname} && pkgproto < #{staging_dir_path('files.clean')} > #{staging_dir_path('Prototype.files')}"
103
+ shellout! "cd #{install_dirname} && pkgproto < #{staging_dir_path("files.clean")} > #{staging_dir_path("Prototype.files")}"
104
104
 
105
105
  # fix up the user and group in the file list to root
106
- shellout! "awk '{ $5 = \"root\"; $6 = \"root\"; print }' < #{staging_dir_path('Prototype.files')} >> #{staging_dir_path('Prototype')}"
106
+ shellout! "awk '{ $5 = \"root\"; $6 = \"root\"; print }' < #{staging_dir_path("Prototype.files")} >> #{staging_dir_path("Prototype")}"
107
107
  end
108
108
 
109
109
  #
@@ -139,7 +139,7 @@ module Omnibus
139
139
  # @return [void]
140
140
  #
141
141
  def create_solaris_file
142
- shellout! "pkgmk -o -r #{install_dirname} -d #{staging_dir} -f #{staging_dir_path('Prototype')}"
142
+ shellout! "pkgmk -o -r #{install_dirname} -d #{staging_dir} -f #{staging_dir_path("Prototype")}"
143
143
  shellout! "pkgchk -vd #{staging_dir} #{project.package_name}"
144
144
  shellout! "pkgtrans #{staging_dir} #{package_path} #{project.package_name}"
145
145
  end
@@ -59,11 +59,11 @@ module Omnibus
59
59
  raise InvalidValue.new(:params, "be a Hash")
60
60
  end
61
61
 
62
- valid_keys = [:store, :timestamp_servers, :machine_store, :algorithm]
62
+ valid_keys = %i{store timestamp_servers machine_store algorithm}
63
63
  invalid_keys = params.keys - valid_keys
64
64
  unless invalid_keys.empty?
65
- raise InvalidValue.new(:params, "contain keys from [#{valid_keys.join(', ')}]. "\
66
- "Found invalid keys [#{invalid_keys.join(', ')}]")
65
+ raise InvalidValue.new(:params, "contain keys from [#{valid_keys.join(", ")}]. "\
66
+ "Found invalid keys [#{invalid_keys.join(", ")}]")
67
67
  end
68
68
 
69
69
  if !params[:machine_store].nil? && !(
@@ -117,11 +117,11 @@ module Omnibus
117
117
  success = try_sign(package_file, ts)
118
118
  break if success
119
119
  end
120
- raise FailedToSignWindowsPackage.new if !success
120
+ raise FailedToSignWindowsPackage.new unless success
121
121
  end
122
122
 
123
123
  def try_sign(package_file, url)
124
- cmd = Array.new.tap do |arr|
124
+ cmd = [].tap do |arr|
125
125
  arr << "signtool.exe"
126
126
  arr << "sign /v"
127
127
  arr << "/t #{url}"
@@ -158,8 +158,9 @@ module Omnibus
158
158
  #
159
159
  def certificate_subject
160
160
  return "CN=#{project.package_name}" unless signing_identity
161
+
161
162
  store = machine_store? ? "LocalMachine" : "CurrentUser"
162
- cmd = Array.new.tap do |arr|
163
+ cmd = [].tap do |arr|
163
164
  arr << "powershell.exe"
164
165
  arr << "-ExecutionPolicy Bypass"
165
166
  arr << "-NoProfile"
@@ -1007,6 +1007,7 @@ module Omnibus
1007
1007
  #
1008
1008
  def dirty!(software)
1009
1009
  raise ProjectAlreadyDirty.new(self) if culprit
1010
+
1010
1011
  @culprit = software
1011
1012
  end
1012
1013
 
@@ -44,10 +44,10 @@ module Omnibus
44
44
  # mapping of build to publish platform(s)
45
45
  # @example
46
46
  # {
47
- # 'ubuntu-10.04' => [
48
- # 'ubuntu-10.04',
49
- # 'ubuntu-12.04',
50
- # 'ubuntu-14.04',
47
+ # 'ubuntu-10.04-x86_64' => [
48
+ # 'ubuntu-10.04-x86_64',
49
+ # 'ubuntu-12.04-x86_64',
50
+ # 'ubuntu-14.04-x86_64',
51
51
  # ],
52
52
  # }
53
53
  #
@@ -69,39 +69,41 @@ module Omnibus
69
69
  #
70
70
  def packages
71
71
  @packages ||= begin
72
- publish_packages = Array.new
72
+ publish_packages = []
73
73
  build_packages = FileSyncer.glob(@pattern).map { |path| Package.new(path) }
74
74
 
75
75
  if @options[:platform_mappings]
76
76
  # the platform map is a simple hash with publish to build platform mappings
77
77
  @options[:platform_mappings].each_pair do |build_platform, publish_platforms|
78
- # Splits `ubuntu-12.04` into `ubuntu` and `12.04`
79
- build_platform, build_platform_version = build_platform.rpartition("-") - %w{ - }
78
+ # Splits `ubuntu-12.04-x86_64` into `ubuntu`, `12.04` and `x86_64`
79
+ build_platform, build_platform_version, build_architecture = build_platform.split("-")
80
80
 
81
81
  # locate the package for the build platform
82
82
  packages = build_packages.select do |p|
83
83
  p.metadata[:platform] == build_platform &&
84
- p.metadata[:platform_version] == build_platform_version
84
+ p.metadata[:platform_version] == build_platform_version &&
85
+ p.metadata[:arch] == build_architecture
85
86
  end
86
87
 
87
88
  if packages.empty?
88
89
  log.warn(log_key) do
89
- "Could not locate a package for build platform #{build_platform}-#{build_platform_version}. " \
90
- "Publishing will be skipped for: #{publish_platforms.join(', ')}"
90
+ "Could not locate a package for build platform #{build_platform}-#{build_platform_version}-#{build_architecture}. " \
91
+ "Publishing will be skipped for: #{publish_platforms.join(", ")}"
91
92
  end
92
93
  end
93
94
 
94
95
  publish_platforms.each do |publish_platform|
95
- publish_platform, publish_platform_version = publish_platform.rpartition("-") - %w{ - }
96
+ publish_platform, publish_platform_version, publish_architecture = publish_platform.split("-")
96
97
 
97
98
  packages.each do |p|
98
99
  # create a copy of our package before mucking with its metadata
99
100
  publish_package = p.dup
100
101
  publish_metadata = p.metadata.dup.to_hash
101
102
 
102
- # override the platform and platform version in the metadata
103
+ # override the platform, platform version and architecture in the metadata
103
104
  publish_metadata[:platform] = publish_platform
104
105
  publish_metadata[:platform_version] = publish_platform_version
106
+ publish_metadata[:arch] = publish_architecture
105
107
 
106
108
  # Set the updated metadata on the package object
107
109
  publish_package.metadata = Metadata.new(publish_package, publish_metadata)
@@ -65,11 +65,13 @@ module Omnibus
65
65
  bucket_name: @options[:bucket],
66
66
  }
67
67
 
68
- if Config.publish_s3_profile
69
- config[:profile] = Config.publish_s3_profile
68
+ if Config.publish_s3_iam_role_arn
69
+ config[:publish_s3_iam_role_arn] = Config.publish_s3_iam_role_arn
70
+ elsif Config.publish_s3_profile
71
+ config[:profile] = Config.publish_s3_profile
70
72
  else
71
- config[:access_key_id] = Config.publish_s3_access_key
72
- config[:secret_access_key] = Config.publish_s3_secret_key
73
+ config[:access_key_id] = Config.publish_s3_access_key
74
+ config[:secret_access_key] = Config.publish_s3_secret_key
73
75
  end
74
76
 
75
77
  config
@@ -147,7 +147,9 @@ module Omnibus
147
147
  force_path_style: Config.s3_force_path_style,
148
148
  }
149
149
 
150
- if Config.s3_profile
150
+ if Config.s3_iam_role_arn
151
+ config[:iam_role_arn] = Config.s3_iam_role_arn
152
+ elsif Config.s3_profile
151
153
  config[:profile] = Config.s3_profile
152
154
  else
153
155
  config[:access_key_id] = Config.s3_access_key
@@ -53,10 +53,7 @@ module Omnibus
53
53
  # @return [Aws::S3::Resource]
54
54
  #
55
55
  def client
56
- Aws.config.update(
57
- region: s3_configuration[:region],
58
- credentials: get_credentials
59
- )
56
+ Aws.config.update(region: s3_configuration[:region])
60
57
 
61
58
  @s3_client ||= Aws::S3::Resource.new(resource_params)
62
59
  end
@@ -70,6 +67,7 @@ module Omnibus
70
67
  params = {
71
68
  use_accelerate_endpoint: s3_configuration[:use_accelerate_endpoint],
72
69
  force_path_style: s3_configuration[:force_path_style],
70
+ credentials: get_credentials,
73
71
  }
74
72
 
75
73
  if s3_configuration[:use_accelerate_endpoint]
@@ -84,12 +82,14 @@ module Omnibus
84
82
  end
85
83
 
86
84
  #
87
- # Create credentials object based on credential profile or access key
85
+ # Create credentials object based on AWS IAM role arn, credential profile or access key
88
86
  # parameters for use by the client object.
89
87
  #
90
88
  # @return [Aws::SharedCredentials, Aws::Credentials]
91
89
  def get_credentials
92
- if s3_configuration[:profile]
90
+ if s3_configuration[:iam_role_arn]
91
+ Aws::AssumeRoleCredentials.new(role_arn: s3_configuration[:iam_role_arn], role_session_name: "omnibus-assume-role-s3-access")
92
+ elsif s3_configuration[:profile]
93
93
  Aws::SharedCredentials.new(profile_name: s3_configuration[:profile])
94
94
  elsif s3_configuration[:access_key_id] && s3_configuration[:secret_access_key]
95
95
  Aws::Credentials.new(s3_configuration[:access_key_id], s3_configuration[:secret_access_key])