Skip to content

Commit

Permalink
Merge pull request #69 from hashicorp/more-authentication
Browse files Browse the repository at this point in the history 
V2: Enables more authentication
  • Loading branch information
@gdavison
gdavison authored Sep 9, 2021
2 parents 94c296b + bedc838 commit fed3407
Show file tree
Hide file tree
Showing 12 changed files with 430 additions and 882 deletions.
16 changes: 15 additions & 1 deletion aws_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ func GetAwsConfig(ctx context.Context, c *Config) (aws.Config, error) {
imdsEnableState := imds.ClientDefaultEnableState
if c.SkipMetadataApiCheck {
imdsEnableState = imds.ClientDisabled
// This should not be needed, but https://github.com/aws/aws-sdk-go-v2/issues/1398
os.Setenv("AWS_EC2_METADATA_DISABLED", "true")
}

httpClient := cleanhttp.DefaultClient()
Expand Down Expand Up @@ -76,7 +78,19 @@ func GetAwsConfig(ctx context.Context, c *Config) (aws.Config, error) {
config.WithEC2IMDSClientEnableState(imdsEnableState),
config.WithHTTPClient(httpClient),
config.WithAPIOptions(apiOptions),
// FIXME: This should only be set for retrieving Creds
config.WithRetryer(func() aws.Retryer {
return aws.NopRetryer{}
}),
)
if err != nil {
return cfg, fmt.Errorf("loading configuration: %w", err)
}

_, err = cfg.Credentials.Retrieve(ctx)
if err != nil {
return cfg, c.NewNoValidCredentialSourcesError(err)
}

if c.AssumeRoleARN == "" {
return cfg, err
Expand Down Expand Up @@ -133,7 +147,7 @@ func GetAwsConfig(ctx context.Context, c *Config) (aws.Config, error) {
})
_, err = appCreds.Retrieve(ctx)
if err != nil {
return aws.Config{}, fmt.Errorf("error assuming role: %w", err)
return aws.Config{}, c.NewCannotAssumeRoleError(err)
}

cfg.Credentials = aws.NewCredentialsCache(appCreds)
Expand Down
306 changes: 153 additions & 153 deletions aws_config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,13 @@ func TestGetAwsConfig(t *testing.T) {
SharedConfigurationFile string
SharedCredentialsFile string
}{
// {
// Config: &Config{},
// Description: "no configuration or credentials",
// ExpectedError: func(err error) bool {
// return IsNoValidCredentialSourcesError(err)
// },
// },
{
Config: &Config{},
Description: "no configuration or credentials",
ExpectedError: func(err error) bool {
return IsNoValidCredentialSourcesError(err)
},
},
{
Config: &Config{
AccessKey: awsmocks.MockStaticAccessKey,
Expand Down Expand Up @@ -210,26 +210,26 @@ aws_access_key_id = ProfileSharedCredentialsAccessKey
aws_secret_access_key = ProfileSharedCredentialsSecretKey
`,
},
// {
// Config: &Config{
// Profile: "SharedConfigurationProfile",
// Region: "us-east-1",
// },
// Description: "config Profile shared configuration credential_source Ec2InstanceMetadata",
// EnableEc2MetadataServer: true,
// ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsAssumeRoleValidEndpoint,
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// SharedConfigurationFile: fmt.Sprintf(`
// [profile SharedConfigurationProfile]
// credential_source = Ec2InstanceMetadata
// role_arn = %[1]s
// role_session_name = %[2]s
// `, awsmocks.MockStsAssumeRoleArn, awsmocks.MockStsAssumeRoleSessionName),
// },
{
Config: &Config{
Profile: "SharedConfigurationProfile",
Region: "us-east-1",
},
Description: "config Profile shared configuration credential_source Ec2InstanceMetadata",
EnableEc2MetadataServer: true,
ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsAssumeRoleValidEndpoint,
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
SharedConfigurationFile: fmt.Sprintf(`
[profile SharedConfigurationProfile]
credential_source = Ec2InstanceMetadata
role_arn = %[1]s
role_session_name = %[2]s
`, awsmocks.MockStsAssumeRoleArn, awsmocks.MockStsAssumeRoleSessionName),
},
// {
// Config: &Config{
// Profile: "SharedConfigurationProfile",
Expand Down Expand Up @@ -337,28 +337,28 @@ aws_access_key_id = ProfileSharedCredentialsAccessKey
aws_secret_access_key = ProfileSharedCredentialsSecretKey
`,
},
// {
// Config: &Config{
// Region: "us-east-1",
// },
// Description: "environment AWS_PROFILE shared configuration credential_source Ec2InstanceMetadata",
// EnableEc2MetadataServer: true,
// EnvironmentVariables: map[string]string{
// "AWS_PROFILE": "SharedConfigurationProfile",
// },
// ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsAssumeRoleValidEndpoint,
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// SharedConfigurationFile: fmt.Sprintf(`
// [profile SharedConfigurationProfile]
// credential_source = Ec2InstanceMetadata
// role_arn = %[1]s
// role_session_name = %[2]s
// `, awsmocks.MockStsAssumeRoleArn, awsmocks.MockStsAssumeRoleSessionName),
// },
{
Config: &Config{
Region: "us-east-1",
},
Description: "environment AWS_PROFILE shared configuration credential_source Ec2InstanceMetadata",
EnableEc2MetadataServer: true,
EnvironmentVariables: map[string]string{
"AWS_PROFILE": "SharedConfigurationProfile",
},
ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsAssumeRoleValidEndpoint,
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
SharedConfigurationFile: fmt.Sprintf(`
[profile SharedConfigurationProfile]
credential_source = Ec2InstanceMetadata
role_arn = %[1]s
role_session_name = %[2]s
`, awsmocks.MockStsAssumeRoleArn, awsmocks.MockStsAssumeRoleSessionName),
},
// {
// Config: &Config{
// Region: "us-east-1",
Expand Down Expand Up @@ -408,22 +408,22 @@ aws_access_key_id = SharedConfigurationSourceAccessKey
aws_secret_access_key = SharedConfigurationSourceSecretKey
`, awsmocks.MockStsAssumeRoleArn, awsmocks.MockStsAssumeRoleSessionName),
},
// {
// Config: &Config{
// Region: "us-east-1",
// },
// Description: "environment AWS_SESSION_TOKEN",
// EnvironmentVariables: map[string]string{
// "AWS_ACCESS_KEY_ID": awsmocks.MockEnvAccessKey,
// "AWS_SECRET_ACCESS_KEY": awsmocks.MockEnvSecretKey,
// "AWS_SESSION_TOKEN": awsmocks.MockEnvSessionToken,
// },
// ExpectedCredentialsValue: awsmocks.MockEnvCredentialsWithSessionToken,
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// },
{
Config: &Config{
Region: "us-east-1",
},
Description: "environment AWS_SESSION_TOKEN",
EnvironmentVariables: map[string]string{
"AWS_ACCESS_KEY_ID": awsmocks.MockEnvAccessKey,
"AWS_SECRET_ACCESS_KEY": awsmocks.MockEnvSecretKey,
"AWS_SESSION_TOKEN": awsmocks.MockEnvSessionToken,
},
ExpectedCredentialsValue: awsmocks.MockEnvCredentialsWithSessionTokenV2,
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
{
Config: &Config{
Region: "us-east-1",
Expand Down Expand Up @@ -463,47 +463,47 @@ aws_access_key_id = DefaultSharedCredentialsAccessKey
aws_secret_access_key = DefaultSharedCredentialsSecretKey
`,
},
// {
// Config: &Config{
// Region: "us-east-1",
// },
// Description: "web identity token access key",
// EnableEc2MetadataServer: true,
// EnableWebIdentityToken: true,
// ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleWithWebIdentityCredentials,
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsAssumeRoleWithWebIdentityValidEndpoint,
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// },
// {
// Config: &Config{
// Region: "us-east-1",
// },
// Description: "EC2 metadata access key",
// EnableEc2MetadataServer: true,
// ExpectedCredentialsValue: awsmocks.MockEc2MetadataCredentialsV2,
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// },
// {
// Config: &Config{
// AssumeRoleARN: awsmocks.MockStsAssumeRoleArn,
// AssumeRoleSessionName: awsmocks.MockStsAssumeRoleSessionName,
// Region: "us-east-1",
// },
// Description: "EC2 metadata access key config AssumeRoleARN access key",
// EnableEc2MetadataServer: true,
// ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsAssumeRoleValidEndpoint,
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// },
{
Config: &Config{
Region: "us-east-1",
},
Description: "web identity token access key",
EnableEc2MetadataServer: true,
EnableWebIdentityToken: true,
ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleWithWebIdentityCredentialsV2,
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsAssumeRoleWithWebIdentityValidEndpoint,
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
{
Config: &Config{
Region: "us-east-1",
},
Description: "EC2 metadata access key",
EnableEc2MetadataServer: true,
ExpectedCredentialsValue: awsmocks.MockEc2MetadataCredentialsV2,
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
{
Config: &Config{
AssumeRoleARN: awsmocks.MockStsAssumeRoleArn,
AssumeRoleSessionName: awsmocks.MockStsAssumeRoleSessionName,
Region: "us-east-1",
},
Description: "EC2 metadata access key config AssumeRoleARN access key",
EnableEc2MetadataServer: true,
ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsAssumeRoleValidEndpoint,
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
{
Config: &Config{
Region: "us-east-1",
Expand All @@ -517,22 +517,22 @@ aws_secret_access_key = DefaultSharedCredentialsSecretKey
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
// {
// Config: &Config{
// AssumeRoleARN: awsmocks.MockStsAssumeRoleArn,
// AssumeRoleSessionName: awsmocks.MockStsAssumeRoleSessionName,
// Region: "us-east-1",
// },
// Description: "ECS credentials access key config AssumeRoleARN access key",
// EnableEc2MetadataServer: true,
// EnableEcsCredentialsServer: true,
// ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsAssumeRoleValidEndpoint,
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// },
{
Config: &Config{
AssumeRoleARN: awsmocks.MockStsAssumeRoleArn,
AssumeRoleSessionName: awsmocks.MockStsAssumeRoleSessionName,
Region: "us-east-1",
},
Description: "ECS credentials access key config AssumeRoleARN access key",
EnableEc2MetadataServer: true,
EnableEcsCredentialsServer: true,
ExpectedCredentialsValue: awsmocks.MockStsAssumeRoleCredentialsV2,
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsAssumeRoleValidEndpoint,
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
{
Config: &Config{
AccessKey: awsmocks.MockStaticAccessKey,
Expand Down Expand Up @@ -706,25 +706,25 @@ aws_secret_access_key = DefaultSharedCredentialsSecretKey
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
// {
// Config: &Config{
// AccessKey: awsmocks.MockStaticAccessKey,
// AssumeRoleARN: awsmocks.MockStsAssumeRoleArn,
// AssumeRoleSessionName: awsmocks.MockStsAssumeRoleSessionName,
// DebugLogging: true,
// Region: "us-east-1",
// SecretKey: awsmocks.MockStaticSecretKey,
// },
// Description: "assume role error",
// ExpectedError: func(err error) bool {
// return IsCannotAssumeRoleError(err)
// },
// ExpectedRegion: "us-east-1",
// MockStsEndpoints: []*awsmocks.MockEndpoint{
// awsmocks.MockStsAssumeRoleInvalidEndpointInvalidClientTokenId,
// awsmocks.MockStsGetCallerIdentityValidEndpoint,
// },
// },
{
Config: &Config{
AccessKey: awsmocks.MockStaticAccessKey,
AssumeRoleARN: awsmocks.MockStsAssumeRoleArn,
AssumeRoleSessionName: awsmocks.MockStsAssumeRoleSessionName,
DebugLogging: true,
Region: "us-east-1",
SecretKey: awsmocks.MockStaticSecretKey,
},
Description: "assume role error",
ExpectedError: func(err error) bool {
return IsCannotAssumeRoleError(err)
},
ExpectedRegion: "us-east-1",
MockStsEndpoints: []*awsmocks.MockEndpoint{
awsmocks.MockStsAssumeRoleInvalidEndpointInvalidClientTokenId,
awsmocks.MockStsGetCallerIdentityValidEndpoint,
},
},
// {
// Config: &Config{
// AccessKey: awsmocks.MockStaticAccessKey,
Expand Down Expand Up @@ -765,18 +765,18 @@ source_profile = SourceSharedCredentials
ExpectedCredentialsValue: awsmocks.MockStaticCredentialsV2,
ExpectedRegion: "us-east-1",
},
// {
// Config: &Config{
// Region: "us-east-1",
// SkipMetadataApiCheck: true,
// },
// Description: "skip EC2 metadata API check",
// EnableEc2MetadataServer: true,
// ExpectedError: func(err error) bool {
// return IsNoValidCredentialSourcesError(err)
// },
// ExpectedRegion: "us-east-1",
// },
{
Config: &Config{
Region: "us-east-1",
SkipMetadataApiCheck: true,
},
Description: "skip EC2 metadata API check",
EnableEc2MetadataServer: true,
ExpectedError: func(err error) bool {
return IsNoValidCredentialSourcesError(err)
},
ExpectedRegion: "us-east-1",
},
}

for _, testCase := range testCases {
Expand Down
Loading

0 comments on commit fed3407

Please sign in to comment.