aws/session: Add support for chaining assume IAM role from shared con…

…fig (#2579) Adds support chaining assume role credentials from the shared config/credentials files. This change allows you to create an assume role chain of multiple levels of assumed IAM roles. The config profile the deepest in the chain must use static credentials, or `credential_source`. If the deepest profile doesn't have either of these the session will fail to load. Fixes the SDK's shared config credential source not assuming a role with environment and ECS credentials. EC2 credentials were already supported. Fix #2528 Fix #2385 Also adds the ability to specify the Handlers the SDK should use at the SessionWithOptions. This allows the a set of handlers to be provided at the very beginning of the session credential chain.
aws · Jun 12, 2019 · 8be2a09 · 8be2a09
1 parent cf6e277
commit 8be2a09
Show file tree

Hide file tree

Showing 12 changed files with 851 additions and 619 deletions.
diff --git a/aws/credentials/credentials.go b/aws/credentials/credentials.go
@@ -50,9 +50,10 @@ package credentials
 
 import (
 	"fmt"
-	"github.com/aws/aws-sdk-go/aws/awserr"
 	"sync"
 	"time"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 )
 
 // AnonymousCredentials is an empty Credential object that can be used as

diff --git a/aws/credentials/stscreds/assume_role_provider.go b/aws/credentials/stscreds/assume_role_provider.go
@@ -200,7 +200,7 @@ type AssumeRoleProvider struct {
 	// by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must
 	// have a value between 0 and 1. Any other value may lead to expected behavior.
 	// With a MaxJitterFrac value of 0, default) will no jitter will be used.
-	// 
+	//
 	// For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the
 	// AssumeRole call will be made with an arbitrary Duration between 27m and
 	// 30m.
@@ -258,7 +258,6 @@ func NewCredentialsWithClient(svc AssumeRoler, roleARN string, options ...func(*
 
 // Retrieve generates a new set of temporary credentials using STS.
 func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) {
-
 	// Apply defaults where parameters are not set.
 	if p.RoleSessionName == "" {
 		// Try to work out a role name that will hopefully end up unique.

diff --git a/aws/request/handlers.go b/aws/request/handlers.go
@@ -59,6 +59,51 @@ func (h *Handlers) Clear() {
 	h.Complete.Clear()
 }
 
+// IsEmpty returns if there are no handlers in any of the handlerlists.
+func (h *Handlers) IsEmpty() bool {
+	if h.Validate.Len() != 0 {
+		return false
+	}
+	if h.Build.Len() != 0 {
+		return false
+	}
+	if h.Send.Len() != 0 {
+		return false
+	}
+	if h.Sign.Len() != 0 {
+		return false
+	}
+	if h.Unmarshal.Len() != 0 {
+		return false
+	}
+	if h.UnmarshalStream.Len() != 0 {
+		return false
+	}
+	if h.UnmarshalMeta.Len() != 0 {
+		return false
+	}
+	if h.UnmarshalError.Len() != 0 {
+		return false
+	}
+	if h.ValidateResponse.Len() != 0 {
+		return false
+	}
+	if h.Retry.Len() != 0 {
+		return false
+	}
+	if h.AfterRetry.Len() != 0 {
+		return false
+	}
+	if h.CompleteAttempt.Len() != 0 {
+		return false
+	}
+	if h.Complete.Len() != 0 {
+		return false
+	}
+
+	return true
+}
+
 // A HandlerListRunItem represents an entry in the HandlerList which
 // is being run.
 type HandlerListRunItem struct {

diff --git a/aws/session/credentials.go b/aws/session/credentials.go
@@ -0,0 +1,202 @@
+package session
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/processcreds"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
+	"github.com/aws/aws-sdk-go/aws/defaults"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/internal/shareddefaults"
+)
+
+// valid credential source values
+const (
+	credSourceEc2Metadata  = "Ec2InstanceMetadata"
+	credSourceEnvironment  = "Environment"
+	credSourceECSContainer = "EcsContainer"
+)
+
+func resolveCredentials(cfg *aws.Config,
+	envCfg envConfig, sharedCfg sharedConfig,
+	handlers request.Handlers,
+	sessOpts Options,
+) (*credentials.Credentials, error) {
+	// Credentials from Assume Role with specific credentials source.
+	if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.CredentialSource) > 0 {
+		return resolveCredsFromSource(cfg, envCfg, sharedCfg, handlers, sessOpts)
+	}
+
+	// Credentials from environment variables
+	if len(envCfg.Creds.AccessKeyID) > 0 {
+		return credentials.NewStaticCredentialsFromCreds(envCfg.Creds), nil
+	}
+
+	// Fallback to the "default" credential resolution chain.
+	return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
+}
+
+func resolveCredsFromProfile(cfg *aws.Config,
+	envCfg envConfig, sharedCfg sharedConfig,
+	handlers request.Handlers,
+	sessOpts Options,
+) (*credentials.Credentials, error) {
+
+	if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.RoleARN) > 0 && sharedCfg.AssumeRoleSource != nil {
+		// Assume IAM role with credentials source from a different profile.
+		cred, err := resolveCredsFromProfile(cfg, envCfg, *sharedCfg.AssumeRoleSource, handlers, sessOpts)
+		if err != nil {
+			return nil, err
+		}
+
+		cfgCp := *cfg
+		cfgCp.Credentials = cred
+		return credsFromAssumeRole(cfgCp, handlers, sharedCfg, sessOpts)
+
+	} else if len(sharedCfg.Creds.AccessKeyID) > 0 {
+		// Static Credentials from Shared Config/Credentials file.
+		return credentials.NewStaticCredentialsFromCreds(
+			sharedCfg.Creds,
+		), nil
+
+	} else if len(sharedCfg.CredentialProcess) > 0 {
+		// Credential Process credentials from Shared Config/Credentials file.
+		return processcreds.NewCredentials(
+			sharedCfg.CredentialProcess,
+		), nil
+
+	} else if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.CredentialSource) > 0 {
+		// Assume IAM Role with specific credential source.
+		return resolveCredsFromSource(cfg, envCfg, sharedCfg, handlers, sessOpts)
+	}
+
+	// Fallback to default credentials provider, include mock errors
+	// for the credential chain so user can identify why credentials
+	// failed to be retrieved.
+	return credentials.NewCredentials(&credentials.ChainProvider{
+		VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
+		Providers: []credentials.Provider{
+			&credProviderError{
+				Err: awserr.New("EnvAccessKeyNotFound",
+					"failed to find credentials in the environment.", nil),
+			},
+			&credProviderError{
+				Err: awserr.New("SharedCredsLoad",
+					fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil),
+			},
+			defaults.RemoteCredProvider(*cfg, handlers),
+		},
+	}), nil
+}
+
+func resolveCredsFromSource(cfg *aws.Config,
+	envCfg envConfig, sharedCfg sharedConfig,
+	handlers request.Handlers,
+	sessOpts Options,
+) (*credentials.Credentials, error) {
+	// if both credential_source and source_profile have been set, return an
+	// error as this is undefined behavior. Only one can be used at a time
+	// within a profile.
+	if len(sharedCfg.AssumeRole.SourceProfile) > 0 {
+		return nil, ErrSharedConfigSourceCollision
+	}
+
+	cfgCp := *cfg
+	switch sharedCfg.AssumeRole.CredentialSource {
+	case credSourceEc2Metadata:
+		p := defaults.RemoteCredProvider(cfgCp, handlers)
+		cfgCp.Credentials = credentials.NewCredentials(p)
+
+	case credSourceEnvironment:
+		cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds(envCfg.Creds)
+
+	case credSourceECSContainer:
+		if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
+			return nil, ErrSharedConfigECSContainerEnvVarEmpty
+		}
+
+		p := defaults.RemoteCredProvider(cfgCp, handlers)
+		cfgCp.Credentials = credentials.NewCredentials(p)
+
+	default:
+		return nil, ErrSharedConfigInvalidCredSource
+	}
+
+	return credsFromAssumeRole(cfgCp, handlers, sharedCfg, sessOpts)
+}
+
+func credsFromAssumeRole(cfg aws.Config,
+	handlers request.Handlers,
+	sharedCfg sharedConfig,
+	sessOpts Options,
+) (*credentials.Credentials, error) {
+	if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
+		// AssumeRole Token provider is required if doing Assume Role
+		// with MFA.
+		return nil, AssumeRoleTokenProviderNotSetError{}
+	}
+
+	return stscreds.NewCredentials(
+		&Session{
+			Config:   &cfg,
+			Handlers: handlers.Copy(),
+		},
+		sharedCfg.AssumeRole.RoleARN,
+		func(opt *stscreds.AssumeRoleProvider) {
+			opt.RoleSessionName = sharedCfg.AssumeRole.RoleSessionName
+
+			// Assume role with external ID
+			if len(sharedCfg.AssumeRole.ExternalID) > 0 {
+				opt.ExternalID = aws.String(sharedCfg.AssumeRole.ExternalID)
+			}
+
+			// Assume role with MFA
+			if len(sharedCfg.AssumeRole.MFASerial) > 0 {
+				opt.SerialNumber = aws.String(sharedCfg.AssumeRole.MFASerial)
+				opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
+			}
+		},
+	), nil
+}
+
+// AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the
+// MFAToken option is not set when shared config is configured load assume a
+// role with an MFA token.
+type AssumeRoleTokenProviderNotSetError struct{}
+
+// Code is the short id of the error.
+func (e AssumeRoleTokenProviderNotSetError) Code() string {
+	return "AssumeRoleTokenProviderNotSetError"
+}
+
+// Message is the description of the error
+func (e AssumeRoleTokenProviderNotSetError) Message() string {
+	return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
+}
+
+// OrigErr is the underlying error that caused the failure.
+func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
+	return nil
+}
+
+// Error satisfies the error interface.
+func (e AssumeRoleTokenProviderNotSetError) Error() string {
+	return awserr.SprintError(e.Code(), e.Message(), "", nil)
+}
+
+type credProviderError struct {
+	Err error
+}
+
+var emptyCreds = credentials.Value{}
+
+func (c credProviderError) Retrieve() (credentials.Value, error) {
+	return credentials.Value{}, c.Err
+}
+func (c credProviderError) IsExpired() bool {
+	return true
+}