Merge branch 'feature/fix-cred-chain' of ssh://github.com/nkupton/aws…

…-sdk-go-base into nkupton-feature/fix-cred-chain
hashicorp · Jun 2, 2020 · 5481b4a · 5481b4a
2 parents e5e6d0b + 8f129f8
commit 5481b4a
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 19 deletions.
diff --git a/awsauth.go b/awsauth.go
@@ -220,24 +220,11 @@ func GetCredentialsFromSession(c *Config) (*awsCredentials.Credentials, error) {
 	return creds, nil
 }
 
-// GetCredentials gets credentials from the environment, shared credentials,
-// or the session (which may include a credential process). GetCredentials also
-// validates the credentials and the ability to assume a role or will return an
-// error if unsuccessful.
-func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
-	// build a chain provider, lazy-evaluated by aws-sdk
-	providers := []awsCredentials.Provider{
-		&awsCredentials.StaticProvider{Value: awsCredentials.Value{
-			AccessKeyID:     c.AccessKey,
-			SecretAccessKey: c.SecretKey,
-			SessionToken:    c.Token,
-		}},
-		&awsCredentials.EnvProvider{},
-		&awsCredentials.SharedCredentialsProvider{
-			Filename: c.CredsFilename,
-			Profile:  c.Profile,
-		},
-	}
+// GetCredentialsFromMetadata returns credentials derived from and ECS or ECS
+// metadata endpoint.
+func GetCredentialsFromMetadata(c *Config) (*awsCredentials.Credentials, error) {
+	log.Printf("[INFO] Attempting to use metadata-derived credentials")
+	providers := []awsCredentials.Provider{}
 
 	// Build isolated HTTP client to avoid issues with globally-shared settings
 	client := cleanhttp.DefaultClient()
@@ -296,14 +283,51 @@ func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
 		}
 	}
 
+	// Validate the credentials before returning them
+	creds := awsCredentials.NewChainCredentials(providers)
+	cp, err := creds.Get()
+	if err != nil {
+		if IsAWSErr(err, "NoCredentialProviders", "") {
+			return nil, ErrNoValidCredentialSources
+		}
+		return nil, fmt.Errorf("Error deriving credentials from metadata: %s", err)
+	}
+
+	log.Printf("[INFO] Successfully derived credentials from metadata")
+	log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)
+	return creds, nil
+}
+
+// GetCredentials gets credentials from the environment, shared credentials,
+// the session (which may include a credential process), or ECS/EC2 metadata endpoints.
+// GetCredentials also validates the credentials and the ability to assume a role
+// or will return an error if unsuccessful.
+func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
+	// build a chain provider, lazy-evaluated by aws-sdk
+	providers := []awsCredentials.Provider{
+		&awsCredentials.StaticProvider{Value: awsCredentials.Value{
+			AccessKeyID:     c.AccessKey,
+			SecretAccessKey: c.SecretKey,
+			SessionToken:    c.Token,
+		}},
+		&awsCredentials.EnvProvider{},
+		&awsCredentials.SharedCredentialsProvider{
+			Filename: c.CredsFilename,
+			Profile:  c.Profile,
+		},
+	}
+
 	// Validate the credentials before returning them
 	creds := awsCredentials.NewChainCredentials(providers)
 	cp, err := creds.Get()
 	if err != nil {
 		if IsAWSErr(err, "NoCredentialProviders", "") {
 			creds, err = GetCredentialsFromSession(c)
 			if err != nil {
-				return nil, err
+				creds, err = GetCredentialsFromMetadata(c)
+				if err != nil {
+					return nil, err
+				}
 			}
 		} else {
 			return nil, fmt.Errorf("Error loading credentials for AWS Provider: %w", err)

diff --git a/session.go b/session.go
@@ -35,6 +35,7 @@ func GetSessionOptions(c *Config) (*session.Options, error) {
 			MaxRetries:       aws.Int(0),
 			Region:           aws.String(c.Region),
 		},
+		Profile: c.Profile,
 	}
 
 	// get and validate credentials