From fe4dc656657288125addc6b3be2f629376881075 Mon Sep 17 00:00:00 2001 From: Sidhartha Mani Date: Thu, 4 Aug 2022 00:51:32 -0700 Subject: [PATCH] Do not ignore error when Instance Metadata service doesn't exist (#1682) --- pkg/credentials/iam_aws.go | 5 ++++- pkg/credentials/iam_aws_test.go | 34 ++++++++++----------------------- 2 files changed, 14 insertions(+), 25 deletions(-) diff --git a/pkg/credentials/iam_aws.go b/pkg/credentials/iam_aws.go index f7a4af4a2..14369cf10 100644 --- a/pkg/credentials/iam_aws.go +++ b/pkg/credentials/iam_aws.go @@ -289,7 +289,10 @@ func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, } // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html - token, _ := fetchIMDSToken(client, endpoint) + token, err := fetchIMDSToken(client, endpoint) + if err != nil { + return ec2RoleCredRespBody{}, err + } // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html u, err := getIAMRoleURL(endpoint) diff --git a/pkg/credentials/iam_aws_test.go b/pkg/credentials/iam_aws_test.go index 9092c01b7..8f68deb24 100644 --- a/pkg/credentials/iam_aws_test.go +++ b/pkg/credentials/iam_aws_test.go @@ -89,26 +89,8 @@ func initTestServerNoRoles() *httptest.Server { return server } -func initTestServer(expireOn string, failAssume bool) *httptest.Server { - server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.URL.Path == "/latest/meta-data/iam/security-credentials/" { - fmt.Fprintln(w, "RoleName") - } else if r.URL.Path == "/latest/meta-data/iam/security-credentials/RoleName" { - if failAssume { - fmt.Fprint(w, credsFailRespTmpl) - } else { - fmt.Fprintf(w, credsRespTmpl, expireOn) - } - } else { - http.Error(w, "bad request", http.StatusBadRequest) - } - })) - - return server -} - // Instance Metadata Service with V1 disabled. -func initIMDSv2Server(expireOn string) *httptest.Server { +func initIMDSv2Server(expireOn string, failAssume bool) *httptest.Server { imdsToken := "IMDSTokenabc123==" server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { fmt.Println(r.URL.Path) @@ -133,7 +115,11 @@ func initIMDSv2Server(expireOn string) *httptest.Server { if r.URL.Path == "/latest/meta-data/iam/security-credentials/" { fmt.Fprintln(w, "RoleName") } else if r.URL.Path == "/latest/meta-data/iam/security-credentials/RoleName" { - fmt.Fprintf(w, credsRespTmpl, expireOn) + if failAssume { + fmt.Fprint(w, credsFailRespTmpl) + } else { + fmt.Fprintf(w, credsRespTmpl, expireOn) + } } else { http.Error(w, "bad request", http.StatusBadRequest) } @@ -203,7 +189,7 @@ func TestIAMNoRoles(t *testing.T) { } func TestIAM(t *testing.T) { - server := initTestServer("2014-12-16T01:51:37Z", false) + server := initIMDSv2Server("2014-12-16T01:51:37Z", false) defer server.Close() p := &IAM{ @@ -234,7 +220,7 @@ func TestIAM(t *testing.T) { } func TestIAMFailAssume(t *testing.T) { - server := initTestServer("2014-12-16T01:51:37Z", true) + server := initIMDSv2Server("2014-12-16T01:51:37Z", true) defer server.Close() p := &IAM{ @@ -252,7 +238,7 @@ func TestIAMFailAssume(t *testing.T) { } func TestIAMIsExpired(t *testing.T) { - server := initTestServer("2014-12-16T01:51:37Z", false) + server := initIMDSv2Server("2014-12-16T01:51:37Z", false) defer server.Close() p := &IAM{ @@ -429,7 +415,7 @@ func TestStsCn(t *testing.T) { } func TestIMDSv1Blocked(t *testing.T) { - server := initIMDSv2Server("2014-12-16T01:51:37Z") + server := initIMDSv2Server("2014-12-16T01:51:37Z", false) p := &IAM{ Client: http.DefaultClient, Endpoint: server.URL,