diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go index 438de50f472f..23c81d43d6d5 100644 --- a/builtin/credential/aws/backend_test.go +++ b/builtin/credential/aws/backend_test.go @@ -958,18 +958,30 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) { } } -// This is an acceptance test. -// Requires the following env vars: -// TEST_AWS_EC2_PKCS7 -// TEST_AWS_EC2_AMI_ID -// TEST_AWS_EC2_ACCOUNT_ID -// TEST_AWS_EC2_IAM_ROLE_ARN -// -// If the test is not being run on an EC2 instance that has access to -// credentials using EC2RoleProvider, on top of the above vars, following -// needs to be set: -// TEST_AWS_SECRET_KEY -// TEST_AWS_ACCESS_KEY +/* This is an acceptance test. + Requires the following env vars: + TEST_AWS_EC2_PKCS7 + TEST_AWS_EC2_IDENTITY_DOCUMENT + TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG + TEST_AWS_EC2_AMI_ID + TEST_AWS_EC2_ACCOUNT_ID + TEST_AWS_EC2_IAM_ROLE_ARN + + If this is being run on an EC2 instance, you can set the environment vars using this bash snippet: + + export TEST_AWS_EC2_PKCS7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7) + export TEST_AWS_EC2_IDENTITY_DOCUMENT=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0) + export TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n') + export TEST_AWS_EC2_AMI_ID=$(curl -s http://169.254.169.254/latest/meta-data/ami-id) + export TEST_AWS_EC2_IAM_ROLE_ARN=$(aws iam get-role --role-name $(curl -q http://169.254.169.254/latest/meta-data/iam/security-credentials/ -S -s) --query Role.Arn --output text) + export TEST_AWS_EC2_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + + If the test is not being run on an EC2 instance that has access to + credentials using EC2RoleProvider, on top of the above vars, following + needs to be set: + TEST_AWS_SECRET_KEY + TEST_AWS_ACCESS_KEY +*/ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.T) { // This test case should be run only when certain env vars are set and // executed as an acceptance test. @@ -983,6 +995,16 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing. t.Fatalf("env var TEST_AWS_EC2_PKCS7 not set") } + identityDoc := os.Getenv("TEST_AWS_EC2_IDENTITY_DOCUMENT") + if identityDoc == "" { + t.Fatalf("env var TEST_AWS_EC2_IDENTITY_DOCUMENT not set") + } + + identityDocSig := os.Getenv("TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG") + if identityDocSig == "" { + t.Fatalf("env var TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG not set") + } + amiID := os.Getenv("TEST_AWS_EC2_AMI_ID") if amiID == "" { t.Fatalf("env var TEST_AWS_EC2_AMI_ID not set") @@ -1131,6 +1153,18 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing. t.Fatalf("bad: failed to login: resp:%#v\nerr:%v", resp, err) } + // Attempt to re-login with the identity signture + delete(loginInput, "pkcs7") + loginInput["identity"] = identityDoc + loginInput["signature"] = identityDocSig + resp, err = b.HandleRequest(context.Background(), loginRequest) + if err != nil { + t.Fatal(err) + } + if resp == nil || resp.Auth == nil || resp.IsError() { + t.Fatalf("bad: failed to login: resp:%#v\nerr:%v", resp, err) + } + // verify the presence of instance_id in the response object. instanceID := resp.Auth.Metadata["instance_id"] if instanceID == "" {