fog--fog-aws/lib/fog/aws/credential_fetcher.rb

# frozen_string_literal: true

module Fog
  module AWS
    module CredentialFetcher

      INSTANCE_METADATA_HOST = "http://169.254.169.254"
      INSTANCE_METADATA_TOKEN = "/latest/api/token"
      INSTANCE_METADATA_PATH = "/latest/meta-data/iam/security-credentials/"
      INSTANCE_METADATA_AZ = "/latest/meta-data/placement/availability-zone/"

      CONTAINER_CREDENTIALS_HOST = "http://169.254.170.2"

      STS_GLOBAL_ENDPOINT = "https://sts.amazonaws.com"

      module ServiceMethods
        def fetch_credentials(options)
          if options[:use_iam_profile] && Fog.mocking?
            return Fog::AWS::Compute::Mock.data[:iam_role_based_creds]
          end
          if options[:use_iam_profile]
            begin
              role_data = nil
              region = options[:region]

              if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
                connection = options[:connection] || Excon.new(CONTAINER_CREDENTIALS_HOST)
                credential_path = options[:credential_path] || ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
                role_data = connection.get(:path => credential_path, :idempotent => true, :expects => 200).body
                session = Fog::JSON.decode(role_data)

                if region.nil?
                  connection = options[:metadata_connection] || Excon.new(INSTANCE_METADATA_HOST)
                  token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])
                  region = connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]
                end
              elsif ENV["AWS_WEB_IDENTITY_TOKEN_FILE"]
                params = {
                  :Action => "AssumeRoleWithWebIdentity",
                  :RoleArn => options[:role_arn] || ENV.fetch("AWS_ROLE_ARN"),
                  :RoleSessionName => options[:role_session_name] || ENV.fetch("AWS_ROLE_SESSION_NAME"),
                  :WebIdentityToken => File.read(options[:aws_web_identity_token_file] || ENV.fetch("AWS_WEB_IDENTITY_TOKEN_FILE")),
                  :Version => "2011-06-15",
                }
                connection = options[:connection] || Excon.new(STS_GLOBAL_ENDPOINT, :query => params)
                document = Nokogiri::XML(connection.get(:idempotent => true, :expects => 200).body)

                session = {
                  "AccessKeyId" => document.css("AccessKeyId").children.text,
                  "SecretAccessKey" => document.css("SecretAccessKey").children.text,
                  "Token" => document.css("SessionToken").children.text,
                  "Expiration" => document.css("Expiration").children.text,
                }

                if region.nil?
                  connection = options[:metadata_connection] || Excon.new(INSTANCE_METADATA_HOST)
                  token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])
                  region = connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]
                end
              else
                connection = options[:connection] || Excon.new(INSTANCE_METADATA_HOST)
                token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])
                role_name = connection.get(:path => INSTANCE_METADATA_PATH, :idempotent => true, :expects => 200, :headers => token_header).body
                role_data = connection.get(:path => INSTANCE_METADATA_PATH+role_name, :idempotent => true, :expects => 200, :headers => token_header).body
                session = Fog::JSON.decode(role_data)
                
                region ||= connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]
              end
              
              credentials = {}
              credentials[:aws_access_key_id] = session['AccessKeyId']
              credentials[:aws_secret_access_key] = session['SecretAccessKey']
              credentials[:aws_session_token] = session['Token']
              credentials[:aws_credentials_expire_at] = Time.xmlschema session['Expiration']
              
              # set region by default to the one the instance is in.
              credentials[:region] = region
              #these indicate the metadata service is unavailable or has no profile setup
              credentials
            rescue Excon::Error => e
              Fog::Logger.warning("Unable to fetch credentials: #{e.message}")
              super
            end
          else
            super
          end
        end

        def fetch_credentials_token_header(connection, disable_imds_v2)
          return nil if disable_imds_v2

          token = connection.put(
            :path => INSTANCE_METADATA_TOKEN,
            :idempotent => true,
            :expects => 200,
            :retry_interval => 1,
            :retry_limit => 3,
            :read_timeout => 1,
            :write_timeout => 1,
            :connect_timeout => 1,
            :headers => { "X-aws-ec2-metadata-token-ttl-seconds" => "300" }
          ).body

          { "X-aws-ec2-metadata-token" => token }
        rescue Excon::Error
          nil
        end
      end

      module ConnectionMethods
        def refresh_credentials_if_expired
          refresh_credentials if credentials_expired?
        end

        private

        def credentials_expired?
          @use_iam_profile &&
            (!@aws_credentials_expire_at ||
             (@aws_credentials_expire_at && Fog::Time.now > @aws_credentials_expire_at - 15)) #new credentials become available from around 5 minutes before expiration time
        end

        def refresh_credentials
          if @use_iam_profile
            new_credentials = service.fetch_credentials :use_iam_profile => @use_iam_profile, :region => @region
            if new_credentials.any?
              setup_credentials new_credentials
              return true
            else
              false
            end
          else
            false
          end
        end
      end
    end
  end
end
Add AWS web identity token file to list of available services to fetch credentials Add test coverage for web identity token file 2020-10-26 07:38:30 -04:00			`# frozen_string_literal: true`

initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`module Fog`
			`module AWS`
			`module CredentialFetcher`
add default region to use_iam_profile 2016-06-29 18:24:53 -04:00
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`INSTANCE_METADATA_HOST = "http://169.254.169.254"`
Add support for Instance Metadata Service v2 (IMDSv2) tokens 2020-05-11 03:33:12 -04:00			`INSTANCE_METADATA_TOKEN = "/latest/api/token"`
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`INSTANCE_METADATA_PATH = "/latest/meta-data/iam/security-credentials/"`
add default region to use_iam_profile 2016-06-29 18:24:53 -04:00			`INSTANCE_METADATA_AZ = "/latest/meta-data/placement/availability-zone/"`

ECS container credentials 2016-07-25 19:36:29 -04:00			`CONTAINER_CREDENTIALS_HOST = "http://169.254.170.2"`

Add AWS web identity token file to list of available services to fetch credentials Add test coverage for web identity token file 2020-10-26 07:38:30 -04:00			`STS_GLOBAL_ENDPOINT = "https://sts.amazonaws.com"`

initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`module ServiceMethods`
			`def fetch_credentials(options)`
do not make requests if mocked. 2016-05-11 16:31:54 -04:00			`if options[:use_iam_profile] && Fog.mocking?`
git grep -l "Compute::AWS" -- lib/ \| xargs sed -i "" "s/Compute::AWS/AWS::Compute/g" 2018-09-12 05:34:50 -04:00			`return Fog::AWS::Compute::Mock.data[:iam_role_based_creds]`
do not make requests if mocked. 2016-05-11 16:31:54 -04:00			`end`
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`if options[:use_iam_profile]`
			`begin`
ECS container credentials 2016-07-25 19:36:29 -04:00			`role_data = nil`
Skip region fetch 2017-04-19 21:44:31 -04:00			`region = options[:region]`
ECS container credentials 2016-07-25 19:36:29 -04:00
			`if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]`
			`connection = options[:connection] \|\| Excon.new(CONTAINER_CREDENTIALS_HOST)`
			`credential_path = options[:credential_path] \|\| ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]`
Mark AWS metadata calls as idempotent Mark calls to metadata services for AWS as idempotent. This means that excon will retry request up to 3 times in case there is a (temporary) issue on the metadata service. 2016-12-12 11:30:10 -05:00			`role_data = connection.get(:path => credential_path, :idempotent => true, :expects => 200).body`
Add AWS web identity token file to list of available services to fetch credentials Add test coverage for web identity token file 2020-10-26 07:38:30 -04:00			`session = Fog::JSON.decode(role_data)`

			`if region.nil?`
			`connection = options[:metadata_connection] \|\| Excon.new(INSTANCE_METADATA_HOST)`
			`token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])`
			`region = connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]`
			`end`
			`elsif ENV["AWS_WEB_IDENTITY_TOKEN_FILE"]`
			`params = {`
			`:Action => "AssumeRoleWithWebIdentity",`
			`:RoleArn => options[:role_arn] \|\| ENV.fetch("AWS_ROLE_ARN"),`
			`:RoleSessionName => options[:role_session_name] \|\| ENV.fetch("AWS_ROLE_SESSION_NAME"),`
			`:WebIdentityToken => File.read(options[:aws_web_identity_token_file] \|\| ENV.fetch("AWS_WEB_IDENTITY_TOKEN_FILE")),`
			`:Version => "2011-06-15",`
			`}`
			`connection = options[:connection] \|\| Excon.new(STS_GLOBAL_ENDPOINT, :query => params)`
			`document = Nokogiri::XML(connection.get(:idempotent => true, :expects => 200).body)`

			`session = {`
			`"AccessKeyId" => document.css("AccessKeyId").children.text,`
			`"SecretAccessKey" => document.css("SecretAccessKey").children.text,`
			`"Token" => document.css("SessionToken").children.text,`
			`"Expiration" => document.css("Expiration").children.text,`
			`}`
ECS container credentials 2016-07-25 19:36:29 -04:00
check_existence_of_region 2017-11-15 11:28:50 -05:00			`if region.nil?`
			`connection = options[:metadata_connection] \|\| Excon.new(INSTANCE_METADATA_HOST)`
Gracefully handle failure of IMDSv2 and allow fallback to IMDSv1 2020-05-17 19:10:29 -04:00			`token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])`
Add support for Instance Metadata Service v2 (IMDSv2) tokens 2020-05-11 03:33:12 -04:00			`region = connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]`
check_existence_of_region 2017-11-15 11:28:50 -05:00			`end`
ECS container credentials 2016-07-25 19:36:29 -04:00			`else`
			`connection = options[:connection] \|\| Excon.new(INSTANCE_METADATA_HOST)`
Gracefully handle failure of IMDSv2 and allow fallback to IMDSv1 2020-05-17 19:10:29 -04:00			`token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])`
Add support for Instance Metadata Service v2 (IMDSv2) tokens 2020-05-11 03:33:12 -04:00			`role_name = connection.get(:path => INSTANCE_METADATA_PATH, :idempotent => true, :expects => 200, :headers => token_header).body`
			`role_data = connection.get(:path => INSTANCE_METADATA_PATH+role_name, :idempotent => true, :expects => 200, :headers => token_header).body`
Add AWS web identity token file to list of available services to fetch credentials Add test coverage for web identity token file 2020-10-26 07:38:30 -04:00			`session = Fog::JSON.decode(role_data)`

Add support for Instance Metadata Service v2 (IMDSv2) tokens 2020-05-11 03:33:12 -04:00			`region \|\|= connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]`
ECS container credentials 2016-07-25 19:36:29 -04:00			`end`
Add AWS web identity token file to list of available services to fetch credentials Add test coverage for web identity token file 2020-10-26 07:38:30 -04:00
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`credentials = {}`
			`credentials[:aws_access_key_id] = session['AccessKeyId']`
			`credentials[:aws_secret_access_key] = session['SecretAccessKey']`
			`credentials[:aws_session_token] = session['Token']`
			`credentials[:aws_credentials_expire_at] = Time.xmlschema session['Expiration']`
Add AWS web identity token file to list of available services to fetch credentials Add test coverage for web identity token file 2020-10-26 07:38:30 -04:00
add default region to use_iam_profile 2016-06-29 18:24:53 -04:00			`# set region by default to the one the instance is in.`
			`credentials[:region] = region`
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`#these indicate the metadata service is unavailable or has no profile setup`
			`credentials`
fix rescue to use new excon error namespacing 2016-07-01 09:47:14 -04:00			`rescue Excon::Error => e`
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`Fog::Logger.warning("Unable to fetch credentials: #{e.message}")`
			`super`
			`end`
			`else`
			`super`
			`end`
			`end`
Gracefully handle failure of IMDSv2 and allow fallback to IMDSv1 2020-05-17 19:10:29 -04:00
			`def fetch_credentials_token_header(connection, disable_imds_v2)`
			`return nil if disable_imds_v2`

			`token = connection.put(`
			`:path => INSTANCE_METADATA_TOKEN,`
			`:idempotent => true,`
			`:expects => 200,`
			`:retry_interval => 1,`
			`:retry_limit => 3,`
Wait for only a short time when querying if IMDSv2 is functional 2020-05-19 18:09:24 -04:00			`:read_timeout => 1,`
			`:write_timeout => 1,`
			`:connect_timeout => 1,`
Gracefully handle failure of IMDSv2 and allow fallback to IMDSv1 2020-05-17 19:10:29 -04:00			`:headers => { "X-aws-ec2-metadata-token-ttl-seconds" => "300" }`
			`).body`

			`{ "X-aws-ec2-metadata-token" => token }`
			`rescue Excon::Error`
			`nil`
			`end`
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`end`

			`module ConnectionMethods`
			`def refresh_credentials_if_expired`
			`refresh_credentials if credentials_expired?`
			`end`

			`private`

			`def credentials_expired?`
			`@use_iam_profile &&`
			`(!@aws_credentials_expire_at \|\|`
			`(@aws_credentials_expire_at && Fog::Time.now > @aws_credentials_expire_at - 15)) #new credentials become available from around 5 minutes before expiration time`
			`end`

			`def refresh_credentials`
			`if @use_iam_profile`
Fixed credential refresh 2017-05-22 19:51:20 -04:00			`new_credentials = service.fetch_credentials :use_iam_profile => @use_iam_profile, :region => @region`
initial import * take the liberty of correcting Aws naming 2014-12-30 17:25:09 -05:00			`if new_credentials.any?`
			`setup_credentials new_credentials`
			`return true`
			`else`
			`false`
			`end`
			`else`
			`false`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`