Merge pull request docker-archive-public#3799 from mrburrito/aws-iam-roles

nathanleclaire · web-flow · commit f1fa9c487ba9 · 2016-10-31T09:42:53.000-07:00
Update AWS Credentials lookup to use AWS default provider chain.
diff --git a/drivers/amazonec2/amazonec2.go b/drivers/amazonec2/amazonec2.go
@@ -51,23 +51,22 @@ var (
 	dockerPort                           = 2376
 	swarmPort                            = 3376
 	errorNoPrivateSSHKey                 = errors.New("using --amazonec2-keypair-name also requires --amazonec2-ssh-keypath")
-	errorMissingAccessKeyOption          = errors.New("amazonec2 driver requires the --amazonec2-access-key option or proper credentials in ~/.aws/credentials")
-	errorMissingSecretKeyOption          = errors.New("amazonec2 driver requires the --amazonec2-secret-key option or proper credentials in ~/.aws/credentials")
+	errorMissingCredentials              = errors.New("amazonec2 driver requires AWS credentials configured with the --amazonec2-access-key and --amazonec2-secret-key options, environment variables, ~/.aws/credentials, or an instance role")
 	errorNoVPCIdFound                    = errors.New("amazonec2 driver requires either the --amazonec2-subnet-id or --amazonec2-vpc-id option or an AWS Account with a default vpc-id")
 	errorDisableSSLWithoutCustomEndpoint = errors.New("using --amazonec2-insecure-transport also requires --amazonec2-endpoint")
 )
 
 type Driver struct {
 	*drivers.BaseDriver
-	clientFactory  func() Ec2Client
-	awsCredentials awsCredentials
-	Id             string
-	AccessKey      string
-	SecretKey      string
-	SessionToken   string
-	Region         string
-	AMI            string
-	SSHKeyID       int
+	clientFactory         func() Ec2Client
+	awsCredentialsFactory func() awsCredentials
+	Id                    string
+	AccessKey             string
+	SecretKey             string
+	SessionToken          string
+	Region                string
+	AMI                   string
+	SSHKeyID              int
 	// ExistingKey keeps track of whether the key was created by us or we used an existing one. If an existing one was used, we shouldn't delete it when the machine is deleted.
 	ExistingKey      bool
 	KeyName          string
@@ -281,10 +280,10 @@ func NewDriver(hostName, storePath string) *Driver {
 			MachineName: hostName,
 			StorePath:   storePath,
 		},
-		awsCredentials: &defaultAWSCredentials{},
 	}
 
 	driver.clientFactory = driver.buildClient
+	driver.awsCredentialsFactory = driver.buildCredentials
 
 	return driver
 }
@@ -293,7 +292,7 @@ func (d *Driver) buildClient() Ec2Client {
 	config := aws.NewConfig()
 	alogger := AwsLogger()
 	config = config.WithRegion(d.Region)
-	config = config.WithCredentials(d.awsCredentials.NewStaticCredentials(d.AccessKey, d.SecretKey, d.SessionToken))
+	config = config.WithCredentials(d.awsCredentialsFactory().Credentials())
 	config = config.WithLogger(alogger)
 	config = config.WithLogLevel(aws.LogDebugWithHTTPBody)
 	config = config.WithMaxRetries(d.RetryCount)
@@ -304,6 +303,10 @@ func (d *Driver) buildClient() Ec2Client {
 	return ec2.New(session.New(config))
 }
 
+func (d *Driver) buildCredentials() awsCredentials {
+	return NewAWSCredentials(d.AccessKey, d.SecretKey, d.SessionToken)
+}
+
 func (d *Driver) getClient() Ec2Client {
 	return d.clientFactory()
 }
@@ -363,24 +366,9 @@ func (d *Driver) SetConfigFromFlags(flags drivers.DriverOptions) error {
 		return errorNoPrivateSSHKey
 	}
 
-	if d.AccessKey == "" && d.SecretKey == "" {
-		credentials, err := d.awsCredentials.NewSharedCredentials("", "").Get()
-		if err != nil {
-			log.Debug("Could not load credentials from ~/.aws/credentials")
-		} else {
-			log.Debug("Successfully loaded credentials from ~/.aws/credentials")
-			d.AccessKey = credentials.AccessKeyID
-			d.SecretKey = credentials.SecretAccessKey
-			d.SessionToken = credentials.SessionToken
-		}
-	}
-
-	if d.AccessKey == "" {
-		return errorMissingAccessKeyOption
-	}
-
-	if d.SecretKey == "" {
-		return errorMissingSecretKeyOption
+	_, err = d.awsCredentialsFactory().Credentials().Get()
+	if err != nil {
+		return errorMissingCredentials
 	}
 
 	if d.VpcId == "" {
diff --git a/drivers/amazonec2/amazonec2_test.go b/drivers/amazonec2/amazonec2_test.go
@@ -165,7 +165,9 @@ func TestValidateAwsRegionInvalid(t *testing.T) {
 
 func TestFindDefaultVPC(t *testing.T) {
 	driver := NewDriver("machineFoo", "path")
-	driver.clientFactory = func() Ec2Client { return &fakeEC2WithLogin{} }
+	driver.clientFactory = func() Ec2Client {
+		return &fakeEC2WithLogin{}
+	}
 
 	vpc, err := driver.getDefaultVPCId()
 
@@ -191,7 +193,7 @@ func TestDefaultVPCIsMissing(t *testing.T) {
 
 func TestGetRegionZoneForDefaultEndpoint(t *testing.T) {
 	driver := NewCustomTestDriver(&fakeEC2WithLogin{})
-	driver.awsCredentials = &fileCredentials{}
+	driver.awsCredentialsFactory = NewValidAwsCredentials
 	options := &commandstest.FakeFlagger{
 		Data: map[string]interface{}{
 			"name":             "test",
@@ -210,7 +212,7 @@ func TestGetRegionZoneForDefaultEndpoint(t *testing.T) {
 
 func TestGetRegionZoneForCustomEndpoint(t *testing.T) {
 	driver := NewCustomTestDriver(&fakeEC2WithLogin{})
-	driver.awsCredentials = &fileCredentials{}
+	driver.awsCredentialsFactory = NewValidAwsCredentials
 	options := &commandstest.FakeFlagger{
 		Data: map[string]interface{}{
 			"name":               "test",
@@ -242,9 +244,10 @@ func TestDescribeAccountAttributeFails(t *testing.T) {
 	assert.Empty(t, vpc)
 }
 
-func TestAccessKeyIsMandatory(t *testing.T) {
+func TestAwsCredentialsAreRequired(t *testing.T) {
 	driver := NewTestDriver()
-	driver.awsCredentials = &cliCredentials{}
+	driver.awsCredentialsFactory = NewErrorAwsCredentials
+
 	options := &commandstest.FakeFlagger{
 		Data: map[string]interface{}{
 			"name":             "test",
@@ -254,47 +257,12 @@ func TestAccessKeyIsMandatory(t *testing.T) {
 	}
 
 	err := driver.SetConfigFromFlags(options)
-
-	assert.Equal(t, err, errorMissingAccessKeyOption)
-}
-
-func TestAccessKeyIsMandatoryEvenIfSecretKeyIsPassed(t *testing.T) {
-	driver := NewTestDriver()
-	driver.awsCredentials = &cliCredentials{}
-	options := &commandstest.FakeFlagger{
-		Data: map[string]interface{}{
-			"name":                 "test",
-			"amazonec2-secret-key": "123",
-			"amazonec2-region":     "us-east-1",
-			"amazonec2-zone":       "e",
-		},
-	}
-
-	err := driver.SetConfigFromFlags(options)
-
-	assert.Equal(t, err, errorMissingAccessKeyOption)
-}
-
-func TestSecretKeyIsMandatory(t *testing.T) {
-	driver := NewTestDriver()
-	driver.awsCredentials = &cliCredentials{}
-	options := &commandstest.FakeFlagger{
-		Data: map[string]interface{}{
-			"name":                 "test",
-			"amazonec2-access-key": "foobar",
-			"amazonec2-region":     "us-east-1",
-			"amazonec2-zone":       "e",
-		},
-	}
-
-	err := driver.SetConfigFromFlags(options)
-
-	assert.Equal(t, err, errorMissingSecretKeyOption)
+	assert.Equal(t, err, errorMissingCredentials)
 }
 
-func TestLoadingFromCredentialsWorked(t *testing.T) {
+func TestValidAwsCredentialsAreAccepted(t *testing.T) {
 	driver := NewCustomTestDriver(&fakeEC2WithLogin{})
-	driver.awsCredentials = &fileCredentials{}
+	driver.awsCredentialsFactory = NewValidAwsCredentials
 	options := &commandstest.FakeFlagger{
 		Data: map[string]interface{}{
 			"name":             "test",
@@ -304,36 +272,12 @@ func TestLoadingFromCredentialsWorked(t *testing.T) {
 	}
 
 	err := driver.SetConfigFromFlags(options)
-
-	assert.NoError(t, err)
-	assert.Equal(t, "access", driver.AccessKey)
-	assert.Equal(t, "secret", driver.SecretKey)
-	assert.Equal(t, "token", driver.SessionToken)
-}
-
-func TestPassingBothCLIArgWorked(t *testing.T) {
-	driver := NewCustomTestDriver(&fakeEC2WithLogin{})
-	driver.awsCredentials = &cliCredentials{}
-	options := &commandstest.FakeFlagger{
-		Data: map[string]interface{}{
-			"name":                 "test",
-			"amazonec2-access-key": "foobar",
-			"amazonec2-secret-key": "123",
-			"amazonec2-region":     "us-east-1",
-			"amazonec2-zone":       "e",
-		},
-	}
-
-	err := driver.SetConfigFromFlags(options)
-
 	assert.NoError(t, err)
-	assert.Equal(t, "foobar", driver.AccessKey)
-	assert.Equal(t, "123", driver.SecretKey)
 }
 
 func TestEndpointIsMandatoryWhenSSLDisabled(t *testing.T) {
 	driver := NewTestDriver()
-	driver.awsCredentials = &cliCredentials{}
+	driver.awsCredentialsFactory = NewValidAwsCredentials
 	options := &commandstest.FakeFlagger{
 		Data: map[string]interface{}{
 			"name":                         "test",
diff --git a/drivers/amazonec2/awscredentials.go b/drivers/amazonec2/awscredentials.go
@@ -1,19 +1,63 @@
 package amazonec2
 
-import "github.com/aws/aws-sdk-go/aws/credentials"
+import (
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/session"
+)
 
 type awsCredentials interface {
-	NewStaticCredentials(id, secret, token string) *credentials.Credentials
+	Credentials() *credentials.Credentials
+}
+
+type ProviderFactory interface {
+	NewStaticProvider(id, secret, token string) credentials.Provider
+}
+
+type defaultAWSCredentials struct {
+	AccessKey        string
+	SecretKey        string
+	SessionToken     string
+	providerFactory  ProviderFactory
+	fallbackProvider awsCredentials
+}
+
+func NewAWSCredentials(id, secret, token string) *defaultAWSCredentials {
+	creds := defaultAWSCredentials{
+		AccessKey:        id,
+		SecretKey:        secret,
+		SessionToken:     token,
+		fallbackProvider: &AwsDefaultCredentialsProvider{},
+		providerFactory:  &defaultProviderFactory{},
+	}
+	return &creds
+}
 
-	NewSharedCredentials(filename, profile string) *credentials.Credentials
+func (c *defaultAWSCredentials) Credentials() *credentials.Credentials {
+	providers := []credentials.Provider{}
+	if c.AccessKey != "" && c.SecretKey != "" {
+		providers = append(providers, c.providerFactory.NewStaticProvider(c.AccessKey, c.SecretKey, c.SessionToken))
+	}
+	if c.fallbackProvider != nil {
+		fallbackCreds, err := c.fallbackProvider.Credentials().Get()
+		if err == nil {
+			providers = append(providers, &credentials.StaticProvider{Value: fallbackCreds})
+		}
+	}
+	return credentials.NewChainCredentials(providers)
 }
 
-type defaultAWSCredentials struct{}
+type AwsDefaultCredentialsProvider struct{}
 
-func (c *defaultAWSCredentials) NewStaticCredentials(id, secret, token string) *credentials.Credentials {
-	return credentials.NewStaticCredentials(id, secret, token)
+func (c *AwsDefaultCredentialsProvider) Credentials() *credentials.Credentials {
+	return session.New().Config.Credentials
 }
 
-func (c *defaultAWSCredentials) NewSharedCredentials(filename, profile string) *credentials.Credentials {
-	return credentials.NewSharedCredentials(filename, profile)
+type defaultProviderFactory struct{}
+
+func (c *defaultProviderFactory) NewStaticProvider(id, secret, token string) credentials.Provider {
+	return &credentials.StaticProvider{Value: credentials.Value{
+		AccessKeyID:     id,
+		SecretAccessKey: secret,
+		SessionToken:    token,
+	}}
 }
diff --git a/drivers/amazonec2/awscredentials_test.go b/drivers/amazonec2/awscredentials_test.go
@@ -0,0 +1,100 @@
+package amazonec2
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestAccessKeyIsMandatoryWhenSystemCredentialsAreNotPresent(t *testing.T) {
+	awsCreds := NewAWSCredentials("", "", "")
+	awsCreds.fallbackProvider = nil
+
+	_, err := awsCreds.Credentials().Get()
+	assert.Error(t, err)
+}
+
+func TestAccessKeyIsMandatoryEvenIfSecretKeyIsPassedWhenSystemCredentialsAreNotPresent(t *testing.T) {
+	awsCreds := NewAWSCredentials("", "secret", "")
+	awsCreds.fallbackProvider = nil
+
+	_, err := awsCreds.Credentials().Get()
+	assert.Error(t, err)
+}
+
+func TestSecretKeyIsMandatoryWhenSystemCredentialsAreNotPresent(t *testing.T) {
+	awsCreds := NewAWSCredentials("access", "", "")
+	awsCreds.fallbackProvider = nil
+
+	_, err := awsCreds.Credentials().Get()
+	assert.Error(t, err)
+}
+
+func TestFallbackCredentialsAreLoadedWhenAccessKeyAndSecretKeyAreMissing(t *testing.T) {
+	awsCreds := NewAWSCredentials("", "", "")
+	awsCreds.fallbackProvider = &fallbackCredentials{}
+
+	creds, err := awsCreds.Credentials().Get()
+
+	assert.NoError(t, err)
+	assert.Equal(t, "fallback_access", creds.AccessKeyID)
+	assert.Equal(t, "fallback_secret", creds.SecretAccessKey)
+	assert.Equal(t, "fallback_token", creds.SessionToken)
+}
+
+func TestFallbackCredentialsAreLoadedWhenAccessKeyIsMissing(t *testing.T) {
+	awsCreds := NewAWSCredentials("", "secret", "")
+	awsCreds.fallbackProvider = &fallbackCredentials{}
+
+	creds, err := awsCreds.Credentials().Get()
+
+	assert.NoError(t, err)
+	assert.Equal(t, "fallback_access", creds.AccessKeyID)
+	assert.Equal(t, "fallback_secret", creds.SecretAccessKey)
+	assert.Equal(t, "fallback_token", creds.SessionToken)
+}
+
+func TestFallbackCredentialsAreLoadedWhenSecretKeyIsMissing(t *testing.T) {
+	awsCreds := NewAWSCredentials("access", "", "")
+	awsCreds.fallbackProvider = &fallbackCredentials{}
+
+	creds, err := awsCreds.Credentials().Get()
+
+	assert.NoError(t, err)
+	assert.Equal(t, "fallback_access", creds.AccessKeyID)
+	assert.Equal(t, "fallback_secret", creds.SecretAccessKey)
+	assert.Equal(t, "fallback_token", creds.SessionToken)
+}
+
+func TestOptionCredentialsAreLoadedWhenAccessKeyAndSecretKeyAreProvided(t *testing.T) {
+	awsCreds := NewAWSCredentials("access", "secret", "")
+	awsCreds.fallbackProvider = &fallbackCredentials{}
+
+	creds, err := awsCreds.Credentials().Get()
+
+	assert.NoError(t, err)
+	assert.Equal(t, "access", creds.AccessKeyID)
+	assert.Equal(t, "secret", creds.SecretAccessKey)
+	assert.Equal(t, "", creds.SessionToken)
+}
+
+func TestFallbackCredentialsAreLoadedIfStaticCredentialsGenerateError(t *testing.T) {
+	awsCreds := NewAWSCredentials("access", "secret", "token")
+	awsCreds.fallbackProvider = &fallbackCredentials{}
+	awsCreds.providerFactory = &errorCredentialsProvider{}
+
+	creds, err := awsCreds.Credentials().Get()
+
+	assert.NoError(t, err)
+	assert.Equal(t, "fallback_access", creds.AccessKeyID)
+	assert.Equal(t, "fallback_secret", creds.SecretAccessKey)
+	assert.Equal(t, "fallback_token", creds.SessionToken)
+}
+
+func TestErrorGeneratedWhenAllProvidersGenerateErrors(t *testing.T) {
+	awsCreds := NewAWSCredentials("access", "secret", "token")
+	awsCreds.fallbackProvider = &errorFallbackCredentials{}
+	awsCreds.providerFactory = &errorCredentialsProvider{}
+
+	_, err := awsCreds.Credentials().Get()
+	assert.Error(t, err)
+}
diff --git a/drivers/amazonec2/stub_test.go b/drivers/amazonec2/stub_test.go
