Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Config.SkipMetadataApiCheck No Longer Working When Only EC2 Metadata Credentials #43

Closed
bflad opened this issue Jun 3, 2020 · 0 comments · Fixed by #44
Closed

Config.SkipMetadataApiCheck No Longer Working When Only EC2 Metadata Credentials #43

bflad opened this issue Jun 3, 2020 · 0 comments · Fixed by #44
Assignees
@bflad
Labels
bug Something isn't working
Milestone
v0.5.0

Comments

@bflad
Copy link
Contributor

bflad commented Jun 3, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Environment and Versions

  • Terraform Executor: EC2 Instance
    • If outside Terraform Cloud/Enterprise, which operating system and version: All
  • Terraform CLI version: Unreleased
  • Terraform AWS Provider version: Unreleased
  • Terraform Backend/Provider Configuration:
terraform {
  backend "s3" {
    # ... other configuration ...
    skip_metadata_api_check = true
  }
}

provider "aws" {
  # ... other configuration ...
  skip_metadata_api_check = true
}

  • AWS environment variables (if any): None

  • AWS configuration files (if any): None

Expected Behavior

EC2 Metadata API never called and those credentials never returned when Config.SkipMetadataApiCheck is enabled. Should return no valid credentials error.

Actual Behavior

EC2 Metadata API is called and those credentials are returned.

Steps to Reproduce

// Additional test case in TestGetSession()
		{
			Config: &Config{
				Region:               "us-east-1",
				SkipMetadataApiCheck: true,
			},
			Description:             "skip EC2 metadata API check",
			EnableEc2MetadataServer: true,
			ExpectedError: func(err error) bool {
				// TODO: https://github.com/hashicorp/aws-sdk-go-base/pull/42
				return err.Error() == errMsgNoValidCredentialSources
			},
			ExpectedRegion: "us-east-1",
		},

Debug Output

2020/06/03 10:37:16 [INFO] Attempting to use session-derived credentials
2020/06/03 10:37:16 [INFO] Setting custom EC2 metadata endpoint: http://127.0.0.1:65336/latest
2020/06/03 10:37:16 [DEBUG] Mock EC2 metadata server received request: /latest/meta-data/iam/security-credentials/
2020/06/03 10:37:16 [DEBUG] Mock EC2 metadata server received request: /latest/meta-data/iam/security-credentials/test_role
2020/06/03 10:37:16 [INFO] Successfully derived credentials from session
2020/06/03 10:37:16 [INFO] AWS Auth provider used: "EC2RoleProvider"
2020/06/03 10:37:16 [INFO] Setting custom STS endpoint: http://127.0.0.1:65337
2020/06/03 10:37:16 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2020/06/03 10:37:16 [DEBUG] Mock EC2 metadata server received request: /latest/meta-data/iam/security-credentials/
2020/06/03 10:37:16 [DEBUG] Mock EC2 metadata server received request: /latest/meta-data/iam/security-credentials/test_role
2020/06/03 10:37:16 [DEBUG] Received STS API "POST" request to "/": Action=GetCallerIdentity&Version=2011-06-15
--- FAIL: TestGetSession (0.00s)
    --- FAIL: TestGetSession/skip_EC2_metadata_API_check (0.00s)
        session_test.go:1030: unexpected GetSession() error: error validating provider credentials: error calling sts:GetCallerIdentity: :
            	status code: 400, request id:

Fix Proposal

  • Set AWS_EC2_METADATA_DISABLED=true environment variable if Config.SkipMetadataApiCheck at beginning of GetSession()
	if c.SkipMetadataApiCheck {
		os.Setenv("AWS_EC2_METADATA_DISABLED", "true")
	}
  • Remove GetCredentialsFromMetadata() entirely -- its now superseded by the default AWS Go SDK credential handling. Its endpoint customization was already migrated to endpoints.Resolver and the AWS_METADATA_TIMEOUT customization is extraneous.

References
@bflad bflad added the bug Something isn't working label Jun 3, 2020
@bflad bflad added this to the v0.5.0 milestone Jun 3, 2020
@bflad bflad self-assigned this Jun 3, 2020
bflad added a commit that referenced this issue Jun 3, 2020
@bflad
Fix SkipMetadataApiCheck and remove now extraneous GetCredentialsFrom…
9c8ad52 
…Metadata

Reference: #43

`GetCredentialsFromMetadata` is superseded by default AWS Go SDK credential handling, which is now called beforehand.
@bflad bflad mentioned this issue Jun 3, 2020
Merged
bflad added a commit that referenced this issue Jun 3, 2020
@bflad
Fix SkipMetadataApiCheck and remove now extraneous GetCredentialsFrom…
a687c0d 
…Metadata

Reference: #43

`GetCredentialsFromMetadata` is superseded by default AWS Go SDK credential handling, which is now called beforehand.
bflad added a commit that referenced this issue Jun 3, 2020
@bflad
Fix SkipMetadataApiCheck and remove now extraneous GetCredentialsFrom…
afaefed 
…Metadata

Reference: #43

`GetCredentialsFromMetadata` is superseded by default AWS Go SDK credential handling, which is now called beforehand.
@bflad bflad closed this as completed in #44 Jun 4, 2020
bflad added a commit that referenced this issue Jun 4, 2020
@bflad
Fix SkipMetadataApiCheck and remove now extraneous GetCredentialsFrom…
80329fe 
…Metadata (#44)

Reference: #43

`GetCredentialsFromMetadata` is superseded by default AWS Go SDK credential handling, which is now called beforehand.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bflad bflad

Labels
bug Something isn't working
Projects
None yet
Milestone
v0.5.0
1 participant
@bflad