From 70f616fbc20ff20a1600e699a3dd09ea5cf295b8 Mon Sep 17 00:00:00 2001 From: Webb Barker Date: Mon, 21 Sep 2020 15:35:34 -0400 Subject: [PATCH] Removes manual EC2 and ECS credential chain logic and simplifies session fallback logic to enable loading credentials from AWS config file --- config.go | 68 +++++++++++++++++-------------------------------------- 1 file changed, 21 insertions(+), 47 deletions(-) diff --git a/config.go b/config.go index 80ee1cf0..e4067a55 100644 --- a/config.go +++ b/config.go @@ -4,21 +4,14 @@ import ( "errors" "fmt" "log" - "os" "strings" - "time" - - "github.com/hashicorp/go-cleanhttp" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/aws/defaults" - "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/Cox-Automotive/alks-go" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/sts" ) @@ -52,9 +45,6 @@ func getCredentials(c *Config) *credentials.Credentials { // Follow the same priority as the AWS Terraform Provider // https://www.terraform.io/docs/providers/aws/#authentication - // needed for the EC2MetaData service - sess := session.Must(session.NewSession()) - providers := []credentials.Provider{ &credentials.StaticProvider{Value: credentials.Value{ AccessKeyID: c.AccessKey, @@ -66,21 +56,6 @@ func getCredentials(c *Config) *credentials.Credentials { Filename: c.CredsFilename, Profile: c.Profile, }, - &ec2rolecreds.EC2RoleProvider{ - Client: ec2metadata.New(sess), - }, - } - - // Check for ECS container, for more details see: - // https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html - if uri := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"); len(uri) > 0 { - client := cleanhttp.DefaultClient() - client.Timeout = 100 * time.Millisecond - cfg := &aws.Config{ - HTTPClient: client, - } - - providers = append(providers, defaults.RemoteCredProvider(*cfg, defaults.Handlers())) } return credentials.NewChainCredentials(providers) @@ -89,35 +64,30 @@ func getCredentials(c *Config) *credentials.Credentials { func getCredentialsFromSession(c *Config) (*credentials.Credentials, error) { var sess *session.Session var err error - if c.Profile == "" { - sess, err = session.NewSession() - if err != nil { - return nil, ErrNoValidCredentialSources - } - } else { - options := &session.Options{ - Config: aws.Config{ - HTTPClient: cleanhttp.DefaultClient(), - MaxRetries: aws.Int(0), - Region: aws.String("us-east-1"), - }, - } - options.Profile = c.Profile - options.SharedConfigState = session.SharedConfigEnable + options := &session.Options{ + Config: aws.Config{ + MaxRetries: aws.Int(0), + Region: aws.String("us-east-1"), + }, + } + options.Profile = c.Profile + options.SharedConfigState = session.SharedConfigEnable - sess, err = session.NewSessionWithOptions(*options) - if err != nil { - if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" { - return nil, ErrNoValidCredentialSources - } - return nil, fmt.Errorf("Error creating AWS session: %s", err) + sess, err = session.NewSessionWithOptions(*options) + if err != nil { + if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" { + return nil, ErrNoValidCredentialSources } + return nil, fmt.Errorf("Error creating AWS session: %s", err) } creds := sess.Config.Credentials - _, err = sess.Config.Credentials.Get() + cp, err := sess.Config.Credentials.Get() if err != nil { return nil, ErrNoValidCredentialSources } + + log.Printf("[DEBUG] Got session credentials from provider: %s\n", cp.ProviderName) + return creds, nil } @@ -129,6 +99,10 @@ func (c *Config) Client() (*alks.Client, error) { creds := getCredentials(c) cp, cpErr := creds.Get() + if cpErr == nil { + log.Printf("[DEBUG] Got credentials from provider: %s\n", cp.ProviderName) + } + // validate we have credentials if cpErr != nil { if awsErr, ok := cpErr.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {