-
Notifications
You must be signed in to change notification settings - Fork 9.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
provider/aws: Move aws.getCreds into auth_helpers
- Loading branch information
1 parent
1e12738
commit 81947d4
Showing
3 changed files
with
68 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
package aws | ||
|
||
import ( | ||
"log" | ||
"net/http" | ||
"os" | ||
"strings" | ||
"time" | ||
|
||
"github.com/aws/aws-sdk-go/aws" | ||
awsCredentials "github.com/aws/aws-sdk-go/aws/credentials" | ||
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" | ||
"github.com/aws/aws-sdk-go/aws/ec2metadata" | ||
"github.com/aws/aws-sdk-go/aws/session" | ||
) | ||
|
||
// This function is responsible for reading credentials from the | ||
// environment in the case that they're not explicitly specified | ||
// in the Terraform configuration. | ||
func getCreds(key, secret, token, profile, credsfile string) *awsCredentials.Credentials { | ||
// build a chain provider, lazy-evaulated by aws-sdk | ||
providers := []awsCredentials.Provider{ | ||
&awsCredentials.StaticProvider{Value: awsCredentials.Value{ | ||
AccessKeyID: key, | ||
SecretAccessKey: secret, | ||
SessionToken: token, | ||
}}, | ||
&awsCredentials.EnvProvider{}, | ||
&awsCredentials.SharedCredentialsProvider{ | ||
Filename: credsfile, | ||
Profile: profile, | ||
}, | ||
} | ||
|
||
// We only look in the EC2 metadata API if we can connect | ||
// to the metadata service within a reasonable amount of time | ||
metadataURL := os.Getenv("AWS_METADATA_URL") | ||
if metadataURL == "" { | ||
metadataURL = "http://169.254.169.254:80/latest" | ||
} | ||
c := http.Client{ | ||
Timeout: 100 * time.Millisecond, | ||
} | ||
|
||
r, err := c.Get(metadataURL) | ||
// Flag to determine if we should add the EC2Meta data provider. Default false | ||
var useIAM bool | ||
if err == nil { | ||
// AWS will add a "Server: EC2ws" header value for the metadata request. We | ||
// check the headers for this value to ensure something else didn't just | ||
// happent to be listening on that IP:Port | ||
if r.Header["Server"] != nil && strings.Contains(r.Header["Server"][0], "EC2") { | ||
useIAM = true | ||
} | ||
} | ||
|
||
if useIAM { | ||
log.Printf("[DEBUG] EC2 Metadata service found, adding EC2 Role Credential Provider") | ||
providers = append(providers, &ec2rolecreds.EC2RoleProvider{ | ||
Client: ec2metadata.New(session.New(&aws.Config{ | ||
Endpoint: aws.String(metadataURL), | ||
})), | ||
}) | ||
} else { | ||
log.Printf("[DEBUG] EC2 Metadata service not found, not adding EC2 Role Credential Provider") | ||
} | ||
return awsCredentials.NewChainCredentials(providers) | ||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters