Emulate Boto when using role metadata

Use the behavior established in the botocore python library to inform
how and when instance metadata is fetched in an attempt to acquire valid
AWS credentials.

- Use it as a fallback when no other credentials are provided
- Set the timeout of metadata requests to 1 second
pull/1292/head
Mal Graty 2018-02-20 00:34:55 +00:00
parent 48eaa0e5bf
commit 693627a858
1 changed files with 14 additions and 13 deletions

View File

@ -20,12 +20,13 @@ dns_aws_add() {
fulldomain=$1
txtvalue=$2
if [ -n "${AWS_USE_INSTANCE_ROLE:=$(_readaccountconf_mutable AWS_USE_INSTANCE_ROLE)}" ]; then
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
_use_instance_role
fi
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
AWS_ACCESS_KEY_ID=""
AWS_SECRET_ACCESS_KEY=""
@ -34,10 +35,8 @@ dns_aws_add() {
return 1
fi
#save for future use
if [ -n "$AWS_USE_INSTANCE_ROLE" ]; then
_saveaccountconf_mutable AWS_USE_INSTANCE_ROLE "$AWS_USE_INSTANCE_ROLE"
else
#save for future use, unless using a role which will be fetched as needed
if [ -z "$_using_instance_role" ]; then
_saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
_saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
fi
@ -85,12 +84,13 @@ dns_aws_rm() {
fulldomain=$1
txtvalue=$2
if [ -n "${AWS_USE_INSTANCE_ROLE:=$(_readaccountconf_mutable AWS_USE_INSTANCE_ROLE)}" ]; then
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
_use_instance_role
fi
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
_err "invalid domain"
@ -176,14 +176,14 @@ _get_root() {
}
_use_instance_role() {
if ! _get "$AWS_METADATA_URL/iam/security-credentials/" true | _head_n 1 | grep -Fq 200; then
if ! _get "$AWS_METADATA_URL/iam/security-credentials/" true 1 | _head_n 1 | grep -Fq 200; then
_err "Unable to fetch IAM role from AWS instance metadata."
return
fi
_aws_role=$(_get "$AWS_METADATA_URL/iam/security-credentials/")
_aws_role=$(_get "$AWS_METADATA_URL/iam/security-credentials/" "" 1)
_debug "_aws_role" "$_aws_role"
_aws_creds="$(
_get "$AWS_METADATA_URL/iam/security-credentials/$_aws_role" \
_get "$AWS_METADATA_URL/iam/security-credentials/$_aws_role" "" 1 \
| _normalizeJson \
| tr '{,}' '\n' \
| while read -r _line; do
@ -201,6 +201,7 @@ _use_instance_role() {
)"
_secure_debug "_aws_creds" "$_aws_creds"
eval "$_aws_creds"
_using_instance_role=true
}
#method uri qstr data