From 774cd1e9a2bb2c2baa23be1135ce42f541170d6d Mon Sep 17 00:00:00 2001
From: xibz <impactbchang@gmail.com>
Date: Tue, 9 Oct 2018 13:42:55 -0700
Subject: [PATCH] adding session error if values aren't properly configured for
 web identity

---
 .../stscreds/web_identity_provider.go         | 15 +++-------
 .../stscreds/web_identity_provider_test.go    | 30 ++-----------------
 aws/session/session.go                        |  8 +++++
 3 files changed, 14 insertions(+), 39 deletions(-)

diff --git a/aws/credentials/stscreds/web_identity_provider.go b/aws/credentials/stscreds/web_identity_provider.go
index e45b96331de..b332b2093fc 100644
--- a/aws/credentials/stscreds/web_identity_provider.go
+++ b/aws/credentials/stscreds/web_identity_provider.go
@@ -18,6 +18,9 @@ const (
 	// ErrCodeWebIdentityRetrievalErr will be used as an error code when constructing
 	// a new error to be returned during Retrieve.
 	ErrCodeWebIdentityRetrievalErr = "WebIdentityRetrievalErr"
+
+	// WebIdentityProviderName is the web identity provider name
+	WebIdentityProviderName = "WebIdentityCredentials"
 )
 
 // now is used to return a time.Time object representing
@@ -59,21 +62,10 @@ func NewWebIdentityRoleProvider(svc stsiface.STSAPI, roleARN, roleSessionName, p
 	}
 }
 
-var emptyTokenFilePathErr = awserr.New(ErrCodeWebIdentityRetrievalErr, "token file path is not set", nil)
-var emptyRoleARNErr = awserr.New(ErrCodeWebIdentityRetrievalErr, "role ARN is not set", nil)
-
 // Retrieve will attempt to assume a role from a token which is located at
 // 'WebIdentityTokenFilePath' specified destination and if that is empty an
 // error will be returned.
 func (p *WebIdentityRoleProvider) Retrieve() (credentials.Value, error) {
-	if len(p.tokenFilePath) == 0 {
-		return credentials.Value{}, emptyTokenFilePathErr
-	}
-
-	if len(p.roleARN) == 0 {
-		return credentials.Value{}, emptyRoleARNErr
-	}
-
 	b, err := ioutil.ReadFile(p.tokenFilePath)
 	if err != nil {
 		errMsg := fmt.Sprintf("unabled to read file at %s", p.tokenFilePath)
@@ -101,6 +93,7 @@ func (p *WebIdentityRoleProvider) Retrieve() (credentials.Value, error) {
 		AccessKeyID:     aws.StringValue(resp.Credentials.AccessKeyId),
 		SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey),
 		SessionToken:    aws.StringValue(resp.Credentials.SessionToken),
+		ProviderName:    WebIdentityProviderName,
 	}
 	return value, nil
 }
diff --git a/aws/credentials/stscreds/web_identity_provider_test.go b/aws/credentials/stscreds/web_identity_provider_test.go
index e37d1bf240f..56af30ea69c 100644
--- a/aws/credentials/stscreds/web_identity_provider_test.go
+++ b/aws/credentials/stscreds/web_identity_provider_test.go
@@ -1,3 +1,5 @@
+// +build go1.7
+
 package stscreds
 
 import (
@@ -38,34 +40,6 @@ func TestWebIdentityProviderRetrieve(t *testing.T) {
 		expectedError     error
 		expectedCredValue credentials.Value
 	}{
-		{
-			name:          "no role arn",
-			tokenFilepath: "foo/bar",
-			mockSTS: &mockSTS{
-				AssumeRoleWithWebIdentityFn: func(input *sts.AssumeRoleWithWebIdentityInput) (*sts.AssumeRoleWithWebIdentityOutput, error) {
-					if e, a := fmt.Sprintf("%d", now().UnixNano()), *input.RoleSessionName; !reflect.DeepEqual(e, a) {
-						t.Errorf("expected %v, but received %v", e, a)
-					}
-
-					return &sts.AssumeRoleWithWebIdentityOutput{}, nil
-				},
-			},
-			expectedError: emptyRoleARNErr,
-		},
-		{
-			name:    "no token file path",
-			roleARN: "arn",
-			mockSTS: &mockSTS{
-				AssumeRoleWithWebIdentityFn: func(input *sts.AssumeRoleWithWebIdentityInput) (*sts.AssumeRoleWithWebIdentityOutput, error) {
-					if e, a := fmt.Sprintf("%d", now().UnixNano()), *input.RoleSessionName; !reflect.DeepEqual(e, a) {
-						t.Errorf("expected %v, but received %v", e, a)
-					}
-
-					return &sts.AssumeRoleWithWebIdentityOutput{}, nil
-				},
-			},
-			expectedError: emptyTokenFilePathErr,
-		},
 		{
 			name:          "session name case",
 			roleARN:       "arn",
diff --git a/aws/session/session.go b/aws/session/session.go
index 109591057a4..a4024a2739c 100644
--- a/aws/session/session.go
+++ b/aws/session/session.go
@@ -284,6 +284,10 @@ func Must(sess *Session, err error) *Session {
 	return sess
 }
 
+// WebIdentityEmptyRoleARNErr will occur if 'AWS_WEB_IDENTITY_TOKEN_FILE' was set but
+// 'AWS_IAM_ROLE_ARN' was not set.
+var WebIdentityEmptyRoleARNErr = awserr.New(ErrCodeWebIdentityRetrievalErr, "role ARN is not set", nil)
+
 func deprecatedNewSession(cfgs ...*aws.Config) *Session {
 	cfg := defaults.Config()
 	handlers := defaults.Handlers()
@@ -444,6 +448,10 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
 		} else if len(envCfg.WebIdentityTokenFilePath) > 0 {
 			// handles assume role via OIDC token. This should happen before any other
 			// assume role call.
+			if len(envCfg.WebIdentityRoleARN) == 0 {
+				return WebIdentityEmptyRoleARNErr
+			}
+
 			sessionName := envCfg.IAMRoleSessionName
 			if len(sessionName) == 0 {
 				sessionName = sharedCfg.AssumeRole.RoleSessionName