1
0
Fork 0
mirror of https://github.com/fog/fog-aws.git synced 2022-11-09 13:50:52 -05:00

Merge pull request #576 from jpac-run/support-role-with-web-identity

Add AssumeRoleWithWebIdentity to fetch_credentials
This commit is contained in:
Wesley Beary 2020-10-26 10:53:35 -05:00 committed by GitHub
commit a5e0b47c3c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 63 additions and 4 deletions

View file

@ -11,4 +11,4 @@ end
group :test do group :test do
gem "simplecov" gem "simplecov"
gem "codeclimate-test-reporter", "~> 1.0.0" gem "codeclimate-test-reporter", "~> 1.0.0"
end end

View file

@ -1,3 +1,5 @@
# frozen_string_literal: true
module Fog module Fog
module AWS module AWS
module CredentialFetcher module CredentialFetcher
@ -9,6 +11,8 @@ module Fog
CONTAINER_CREDENTIALS_HOST = "http://169.254.170.2" CONTAINER_CREDENTIALS_HOST = "http://169.254.170.2"
STS_GLOBAL_ENDPOINT = "https://sts.amazonaws.com"
module ServiceMethods module ServiceMethods
def fetch_credentials(options) def fetch_credentials(options)
if options[:use_iam_profile] && Fog.mocking? if options[:use_iam_profile] && Fog.mocking?
@ -23,6 +27,30 @@ module Fog
connection = options[:connection] || Excon.new(CONTAINER_CREDENTIALS_HOST) connection = options[:connection] || Excon.new(CONTAINER_CREDENTIALS_HOST)
credential_path = options[:credential_path] || ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"] credential_path = options[:credential_path] || ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
role_data = connection.get(:path => credential_path, :idempotent => true, :expects => 200).body role_data = connection.get(:path => credential_path, :idempotent => true, :expects => 200).body
session = Fog::JSON.decode(role_data)
if region.nil?
connection = options[:metadata_connection] || Excon.new(INSTANCE_METADATA_HOST)
token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])
region = connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]
end
elsif ENV["AWS_WEB_IDENTITY_TOKEN_FILE"]
params = {
:Action => "AssumeRoleWithWebIdentity",
:RoleArn => options[:role_arn] || ENV.fetch("AWS_ROLE_ARN"),
:RoleSessionName => options[:role_session_name] || ENV.fetch("AWS_ROLE_SESSION_NAME"),
:WebIdentityToken => File.read(options[:aws_web_identity_token_file] || ENV.fetch("AWS_WEB_IDENTITY_TOKEN_FILE")),
:Version => "2011-06-15",
}
connection = options[:connection] || Excon.new(STS_GLOBAL_ENDPOINT, :query => params)
document = Nokogiri::XML(connection.get(:idempotent => true, :expects => 200).body)
session = {
"AccessKeyId" => document.css("AccessKeyId").children.text,
"SecretAccessKey" => document.css("SecretAccessKey").children.text,
"Token" => document.css("SessionToken").children.text,
"Expiration" => document.css("Expiration").children.text,
}
if region.nil? if region.nil?
connection = options[:metadata_connection] || Excon.new(INSTANCE_METADATA_HOST) connection = options[:metadata_connection] || Excon.new(INSTANCE_METADATA_HOST)
@ -34,16 +62,17 @@ module Fog
token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2]) token_header = fetch_credentials_token_header(connection, options[:disable_imds_v2])
role_name = connection.get(:path => INSTANCE_METADATA_PATH, :idempotent => true, :expects => 200, :headers => token_header).body role_name = connection.get(:path => INSTANCE_METADATA_PATH, :idempotent => true, :expects => 200, :headers => token_header).body
role_data = connection.get(:path => INSTANCE_METADATA_PATH+role_name, :idempotent => true, :expects => 200, :headers => token_header).body role_data = connection.get(:path => INSTANCE_METADATA_PATH+role_name, :idempotent => true, :expects => 200, :headers => token_header).body
session = Fog::JSON.decode(role_data)
region ||= connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2] region ||= connection.get(:path => INSTANCE_METADATA_AZ, :idempotent => true, :expects => 200, :headers => token_header).body[0..-2]
end end
session = Fog::JSON.decode(role_data)
credentials = {} credentials = {}
credentials[:aws_access_key_id] = session['AccessKeyId'] credentials[:aws_access_key_id] = session['AccessKeyId']
credentials[:aws_secret_access_key] = session['SecretAccessKey'] credentials[:aws_secret_access_key] = session['SecretAccessKey']
credentials[:aws_session_token] = session['Token'] credentials[:aws_session_token] = session['Token']
credentials[:aws_credentials_expire_at] = Time.xmlschema session['Expiration'] credentials[:aws_credentials_expire_at] = Time.xmlschema session['Expiration']
# set region by default to the one the instance is in. # set region by default to the one the instance is in.
credentials[:region] = region credentials[:region] = region
#these indicate the metadata service is unavailable or has no profile setup #these indicate the metadata service is unavailable or has no profile setup

View file

@ -60,6 +60,35 @@ Shindo.tests('AWS | credentials', ['aws']) do
ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil
ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = File.dirname(__FILE__) + '/lorem.txt'
ENV['AWS_ROLE_ARN'] = "dummyrole"
ENV['AWS_ROLE_SESSION_NAME'] = "dummyrolesessionname"
document =
'<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">'\
'<AssumeRoleWithWebIdentityResult>'\
'<Credentials>'\
'<SessionToken>dummytoken</SessionToken>'\
'<SecretAccessKey>dummysecret</SecretAccessKey>'\
"<Expiration>#{expires_at.xmlschema}</Expiration>"\
'<AccessKeyId>dummykey</AccessKeyId>'\
'</Credentials>'\
'</AssumeRoleWithWebIdentityResult>'\
'</AssumeRoleWithWebIdentityResponse>'
Excon.stub({method: :get, path: "/", idempotent: true}, { status: 200, body: document})
tests('#fetch_credentials token based') do
returns(
aws_access_key_id: 'dummykey',
aws_secret_access_key: 'dummysecret',
aws_session_token: 'dummytoken',
region: 'us-west-1',
aws_credentials_expire_at: expires_at
) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
end
ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = nil
compute = Fog::AWS::Compute.new(use_iam_profile: true) compute = Fog::AWS::Compute.new(use_iam_profile: true)
tests('#refresh_credentials_if_expired') do tests('#refresh_credentials_if_expired') do
@ -100,6 +129,7 @@ Shindo.tests('AWS | credentials', ['aws']) do
end end
ensure ensure
ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil
ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = nil
Excon.stubs.clear Excon.stubs.clear
Excon.defaults[:mock] = old_mock_value Excon.defaults[:mock] = old_mock_value
Fog.mock! if fog_was_mocked Fog.mock! if fog_was_mocked