Merge pull request #8859 from rouault/fix_8858

/vsis3/: takes into account AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable (fixes #8858)
OSGeo · Nov 29, 2023 · 9c49e53 · 9c49e53
2 parents 284c063 + 659db3f
commit 9c49e53
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 3 deletions.
diff --git a/autotest/gcore/vsis3.py b/autotest/gcore/vsis3.py
@@ -73,6 +73,8 @@ def open_for_read(uri):
     "AWS_DEFAULT_REGION": "us-east-1",
     "AWS_DEFAULT_PROFILE": "",
     "AWS_PROFILE": "default",
+    "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "",
+    "AWS_CONTAINER_CREDENTIALS_FULL_URI": "",
 }
 
 
@@ -5024,6 +5026,55 @@ def test_vsis3_read_credentials_ec2_expiration(aws_test_config, webserver_port):
         assert f is None
 
 
+###############################################################################
+# Read credentials from simulated instance with AWS_CONTAINER_CREDENTIALS_FULL_URI
+
+
+@pytest.mark.skipif(sys.platform not in ("linux", "win32"), reason="Incorrect platform")
+def test_vsis3_read_credentials_AWS_CONTAINER_CREDENTIALS_FULL_URI(
+    aws_test_config, webserver_port
+):
+    options = {
+        "CPL_AWS_CREDENTIALS_FILE": "",
+        "AWS_CONFIG_FILE": "",
+        "AWS_SECRET_ACCESS_KEY": "",
+        "AWS_ACCESS_KEY_ID": "",
+        # Disable hypervisor related check to test if we are really on EC2
+        "CPL_AWS_AUTODETECT_EC2": "NO",
+        "CPL_AWS_WEB_IDENTITY_ENABLE": "NO",
+        "AWS_CONTAINER_CREDENTIALS_FULL_URI": f"http://localhost:{webserver_port}/AWS_CONTAINER_CREDENTIALS_FULL_URI",
+    }
+
+    gdal.VSICurlClearCache()
+
+    handler = webserver.SequentialHandler()
+    handler.add(
+        "GET",
+        "/AWS_CONTAINER_CREDENTIALS_FULL_URI",
+        200,
+        {},
+        """{
+        "AccessKeyId": "AWS_ACCESS_KEY_ID",
+        "SecretAccessKey": "AWS_SECRET_ACCESS_KEY",
+        "Expiration": "3000-01-01T00:00:00Z"
+        }""",
+    )
+
+    handler.add(
+        "GET",
+        "/s3_fake_bucket/resource",
+        custom_method=get_s3_fake_bucket_resource_method,
+    )
+    with webserver.install_http_handler(handler):
+        with gdaltest.config_options(options, thread_local=False):
+            f = open_for_read("/vsis3/s3_fake_bucket/resource")
+        assert f is not None
+        data = gdal.VSIFReadL(1, 4, f).decode("ascii")
+        gdal.VSIFCloseL(f)
+
+    assert data == "foo"
+
+
 ###############################################################################
 # Read credentials from an assumed role
 

diff --git a/port/cpl_aws.cpp b/port/cpl_aws.cpp
@@ -838,10 +838,21 @@ bool VSIS3HandleHelper::GetConfigurationFromEC2(
     const CPLString osEC2RootURL(VSIGetPathSpecificOption(
         osPathForOption.c_str(), "CPL_AWS_EC2_API_ROOT_URL", osEC2DefaultURL));
     // coverity[tainted_data]
-    const CPLString osECSRelativeURI(VSIGetPathSpecificOption(
-        osPathForOption.c_str(), "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", ""));
+    const CPLString osECSFullURI(VSIGetPathSpecificOption(
+        osPathForOption.c_str(), "AWS_CONTAINER_CREDENTIALS_FULL_URI", ""));
+    // coverity[tainted_data]
+    const CPLString osECSRelativeURI(
+        osECSFullURI.empty() ? VSIGetPathSpecificOption(
+                                   osPathForOption.c_str(),
+                                   "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", "")
+                             : std::string());
     CPLString osToken;
-    if (osEC2RootURL == osEC2DefaultURL && !osECSRelativeURI.empty())
+    if (!osECSFullURI.empty())
+    {
+        // Cf https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
+        osURLRefreshCredentials = osECSFullURI;
+    }
+    else if (osEC2RootURL == osEC2DefaultURL && !osECSRelativeURI.empty())
     {
         // See
         // https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html