mirror of
https://github.com/fog/fog-aws.git
synced 2022-11-09 13:50:52 -05:00
Merge pull request #576 from jpac-run/support-role-with-web-identity
Add AssumeRoleWithWebIdentity to fetch_credentials
This commit is contained in:
commit
a5e0b47c3c
3 changed files with 63 additions and 4 deletions
2
Gemfile
2
Gemfile
|
@ -11,4 +11,4 @@ end
|
|||
group :test do
|
||||
gem "simplecov"
|
||||
gem "codeclimate-test-reporter", "~> 1.0.0"
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Fog
|
||||
module AWS
|
||||
module CredentialFetcher
|
||||
|
@ -9,6 +11,8 @@ module Fog
|
|||
|
||||
CONTAINER_CREDENTIALS_HOST = "http://169.254.170.2"
|
||||
|
||||
STS_GLOBAL_ENDPOINT = "https://sts.amazonaws.com"
|
||||
|
||||
module ServiceMethods
|
||||
def fetch_credentials(options)
|
||||
if options[:use_iam_profile] && Fog.mocking?
|
||||
|
@ -23,6 +27,30 @@ module Fog
|
|||
connection = options[:connection] || Excon.new(CONTAINER_CREDENTIALS_HOST)
|
||||
credential_path = options[:credential_path] || ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
|
||||
role_data = connection.get(:path => credential_path, :idempotent => true, :expects => 200).body
|
||||
session = Fog::JSON.decode(role_data)
|
||||
|
||||
if region.nil?
|
||||
connection = options[:metadata_connection] || Excon.new(INSTANCE_METADATA_HOST)
|
||||
token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])
|
||||
region = connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]
|
||||
end
|
||||
elsif ENV["AWS_WEB_IDENTITY_TOKEN_FILE"]
|
||||
params = {
|
||||
:Action => "AssumeRoleWithWebIdentity",
|
||||
:RoleArn => options[:role_arn] || ENV.fetch("AWS_ROLE_ARN"),
|
||||
:RoleSessionName => options[:role_session_name] || ENV.fetch("AWS_ROLE_SESSION_NAME"),
|
||||
:WebIdentityToken => File.read(options[:aws_web_identity_token_file] || ENV.fetch("AWS_WEB_IDENTITY_TOKEN_FILE")),
|
||||
:Version => "2011-06-15",
|
||||
}
|
||||
connection = options[:connection] || Excon.new(STS_GLOBAL_ENDPOINT, :query => params)
|
||||
document = Nokogiri::XML(connection.get(:idempotent => true, :expects => 200).body)
|
||||
|
||||
session = {
|
||||
"AccessKeyId" => document.css("AccessKeyId").children.text,
|
||||
"SecretAccessKey" => document.css("SecretAccessKey").children.text,
|
||||
"Token" => document.css("SessionToken").children.text,
|
||||
"Expiration" => document.css("Expiration").children.text,
|
||||
}
|
||||
|
||||
if region.nil?
|
||||
connection = options[:metadata_connection] || Excon.new(INSTANCE_METADATA_HOST)
|
||||
|
@ -34,16 +62,17 @@ module Fog
|
|||
token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])
|
||||
role_name = connection.get(:path => INSTANCE_METADATA_PATH, :idempotent => true, :expects => 200, :headers => token_header).body
|
||||
role_data = connection.get(:path => INSTANCE_METADATA_PATH+role_name, :idempotent => true, :expects => 200, :headers => token_header).body
|
||||
session = Fog::JSON.decode(role_data)
|
||||
|
||||
region ||= connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]
|
||||
end
|
||||
|
||||
session = Fog::JSON.decode(role_data)
|
||||
|
||||
credentials = {}
|
||||
credentials[:aws_access_key_id] = session['AccessKeyId']
|
||||
credentials[:aws_secret_access_key] = session['SecretAccessKey']
|
||||
credentials[:aws_session_token] = session['Token']
|
||||
credentials[:aws_credentials_expire_at] = Time.xmlschema session['Expiration']
|
||||
|
||||
|
||||
# set region by default to the one the instance is in.
|
||||
credentials[:region] = region
|
||||
#these indicate the metadata service is unavailable or has no profile setup
|
||||
|
|
|
@ -60,6 +60,35 @@ Shindo.tests('AWS | credentials', ['aws']) do
|
|||
|
||||
ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil
|
||||
|
||||
ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = File.dirname(__FILE__) + '/lorem.txt'
|
||||
ENV['AWS_ROLE_ARN'] = "dummyrole"
|
||||
ENV['AWS_ROLE_SESSION_NAME'] = "dummyrolesessionname"
|
||||
document =
|
||||
'<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">'\
|
||||
'<AssumeRoleWithWebIdentityResult>'\
|
||||
'<Credentials>'\
|
||||
'<SessionToken>dummytoken</SessionToken>'\
|
||||
'<SecretAccessKey>dummysecret</SecretAccessKey>'\
|
||||
"<Expiration>#{expires_at.xmlschema}</Expiration>"\
|
||||
'<AccessKeyId>dummykey</AccessKeyId>'\
|
||||
'</Credentials>'\
|
||||
'</AssumeRoleWithWebIdentityResult>'\
|
||||
'</AssumeRoleWithWebIdentityResponse>'
|
||||
|
||||
Excon.stub({method: :get, path: "/", idempotent: true}, { status: 200, body: document})
|
||||
|
||||
tests('#fetch_credentials token based') do
|
||||
returns(
|
||||
aws_access_key_id: 'dummykey',
|
||||
aws_secret_access_key: 'dummysecret',
|
||||
aws_session_token: 'dummytoken',
|
||||
region: 'us-west-1',
|
||||
aws_credentials_expire_at: expires_at
|
||||
) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
|
||||
end
|
||||
|
||||
ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = nil
|
||||
|
||||
compute = Fog::AWS::Compute.new(use_iam_profile: true)
|
||||
|
||||
tests('#refresh_credentials_if_expired') do
|
||||
|
@ -100,6 +129,7 @@ Shindo.tests('AWS | credentials', ['aws']) do
|
|||
end
|
||||
ensure
|
||||
ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil
|
||||
ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = nil
|
||||
Excon.stubs.clear
|
||||
Excon.defaults[:mock] = old_mock_value
|
||||
Fog.mock! if fog_was_mocked
|
||||
|
|
Loading…
Reference in a new issue