Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use default AWS credential handling under normal circumstances #218

Merged
merged 1 commit into from
Sep 1, 2020
Merged

Use default AWS credential handling under normal circumstances #218

merged 1 commit into from
Sep 1, 2020

Conversation

jbergknoff-rival
Copy link
Contributor

Fixes #191 (and #185, #157, #152, #22)

This PR changes go-getter to default to the AWS SDK's built in credential resolution. This makes it possible for go-getter to download from S3 using an assumed role (e.g. when setting environment variables AWS_SDK_LOAD_CONFIG=true AWS_PROFILE=..., go-getter will assume that role before attempting any operations). It should also add support for various other edge cases relating to AWS credentials.

The one case where go-getter will continue to construct its own credential chain is the one with an override for the instance metadata URL. I'm not familiar with the use case of overriding the instance metadata URL, so I left that code as it was.

I'd like to add a test to protect against regressions in assume-role behavior, but I'd appreciate some guidance there. I see the hardcoded read-only IAM access key/secret. Do those credentials also have the ability to assume some role?

jbergknoff-rival
jbergknoff-rival commented Oct 14, 2019
View reviewed changes
get_s3.go
@@ -213,7 +208,7 @@ func (g *S3Getter) getAWSConfig(region string, url *url.URL, creds *credentials.
conf.Region = aws.String(region)
}

return conf
return conf.WithCredentialsChainVerboseErrors(true)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just a useful configuration change to help debugging credentials issues.

Before:

Copying configuration from "s3::https://s3-us-west-2.amazonaws.com/..."...

Error: Failed to download module

Could not download module "root"
(-from-module="s3::https://s3-us-west-2.amazonaws.com/...":1)
source code from
"s3::https://s3-us-west-2.amazonaws.com/...
NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors

After:

Copying configuration from "s3::https://s3-us-west-2.amazonaws.com/..."...

Error: Failed to download module

Could not download module "root"
(-from-module="s3::https://s3-us-west-2.amazonaws.com/...":1)
source code from
"s3::https://s3-us-west-2.amazonaws.com/...":
NoCredentialProviders: no valid providers in chain
caused by: EnvAccessKeyNotFound: failed to find credentials in the
environment.
SharedCredsLoad: failed to load profile, <profile name>.
EC2RoleRequestError: no EC2 instance role found
caused by: RequestError: send request failed
caused by: Get
http://169.254.169.254/latest/meta-data/iam/security-credentials/: dial tcp
169.254.169.254:80: connect: no route to host

Copy link

@bashims bashims Jan 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me and obsoletes my patch. We will test it under ECS to make sure. Thanks!

Oops, that was Terraform 0.11 that does not have the correct version of the aws-go-sdk to get a creds under ECS, please pardon the confusion.

@hashicorp-cla
Copy link

hashicorp-cla commented Jul 11, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@NinaDenisova
Copy link

NinaDenisova commented Aug 3, 2020
edited
Loading

Hi @jbergknoff-rival I also ran into the issue of not being able to access s3 buckets when it belongs to an originalizational unit. I tested your PR and it does solve the issue for us as well. If I understand it correctly, the next step would be to sign the CLA so that the PR can be merged. I was wondering if you are planning to sign it in the near future.
Thank you!

@jbergknoff-rival
Copy link
Contributor Author

Oh, thanks for pointing that out, @NinaDenisova . I actually have signed the CLA, and when I visit https://cla.hashicorp.com/hashicorp/go-getter?pullRequest=218, it shows me

image

and the form at the bottom is grayed out, with my details filled in. Maybe there's a bug on the status check.

Either way, I don't think that was the primary blocker on this PR. It just hasn't received any attention from maintainers.

@NinaDenisova
Copy link

Thank you @jbergknoff-rival for the quick reply!
@hashicorp-cla Could you please clarify the status of CLA for this PR?
@hashicorp-cloud I was wondering if anybody has already checked this PR as it's been open for a while now. The changes are not extensive and enable letting AWS take care of credentials provider chain rather than creating the chain manually for the case when credentials are not supplied. This addresses a few issues stated in the PR description (Fixes #191 (and #185, #157, #152, #22)).
Thank you, everybody.

@jbergknoff-rival jbergknoff-rival mentioned this pull request Aug 7, 2020
Closed
@azr
Copy link
Contributor

azr commented Aug 31, 2020

Hello there, about the CLA; you need to make sure the email you signed the CLA with is the same as the email you have in your commit, otherwise we cannot merge this.

@jbergknoff-rival
Copy link
Contributor Author

Thanks for the clarification. Now I understand what's going on. At the time I signed the CLA, the email address of the commit was associated with this GitHub account. The company has since become defunct, and I disassociated this GitHub account from that email address (which is also defunct). If I get a chance, I'll try rewriting the commit history on the PR branch.

azr
azr approved these changes Aug 31, 2020
View reviewed changes
Copy link
Contributor

@azr azr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ( just waiting for CLA )

@jbergknoff jbergknoff force-pushed the jbergknoff-aws-creds branch from c15ca05 to b464f67 Compare August 31, 2020 15:37
@jbergknoff
Copy link

👍 I rewrote the commit to use the appropriate email address and now the CLA check is there. I also rebased from the current master branch.

@azr
Copy link
Contributor

azr commented Sep 1, 2020

Awesome !

@azr azr merged commit 81f79b4 into hashicorp:master Sep 1, 2020
azr pushed a commit that referenced this pull request Sep 30, 2020
@jbergknoff-rival @azr
Use default AWS credential chain under normal circumstances (#218)
da52711
@apeeters
Copy link

apeeters commented Oct 1, 2020

How does this relate to / duplicates #261?

This was referenced Oct 30, 2020
Open
Closed
@nywilken nywilken mentioned this pull request Jun 6, 2022
Merged
@nywilken nywilken mentioned this pull request Nov 30, 2022
Merged
This was referenced Mar 16, 2023
Merged
Closed
@nywilken nywilken mentioned this pull request May 20, 2024
Merged
@nywilken nywilken mentioned this pull request Jun 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bashims bashims bashims left review comments

@azr azr azr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS credentials not handled correctly
7 participants
@jbergknoff-rival @hashicorp-cla @NinaDenisova @azr @jbergknoff @apeeters @bashims