From b06f2fa4b870f1efe355f3f3f031b1cf0cab300d Mon Sep 17 00:00:00 2001 From: Ray Allan Date: Fri, 26 Aug 2022 22:49:48 +0000 Subject: [PATCH] add configurable alternate credential profile --- README.md | 1 + .../providers/rotating_shared_credentials_provider.go | 11 ++++++++++- .../rotating_shared_credentials_provider_test.go | 9 +++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index be6d1e80ec8..b8a1433c8ca 100644 --- a/README.md +++ b/README.md @@ -184,6 +184,7 @@ additional details on each available environment variable. | `ECS_EXCLUDE_UNTRACKED_IMAGE` | `alpine:latest` | Comma seperated list of `imageName:tag` of images that should not be deleted by the ECS agent if `ECS_ENABLE_UNTRACKED_IMAGE_CLEANUP` is enabled. | | | | `ECS_DISABLE_DOCKER_HEALTH_CHECK` | `false` | Whether to disable the Docker Container health check for the ECS Agent. | `false` | `false` | | `ECS_NVIDIA_RUNTIME` | nvidia | The Nvidia Runtime to be used to pass Nvidia GPU devices to containers. | nvidia | Not Applicable | +| `ECS_ALTERNATE_CREDENTIAL_PROFILE` | default | An alternate credential role/profile name. | default | default | | `ECS_ENABLE_SPOT_INSTANCE_DRAINING` | `true` | Whether to enable Spot Instance draining for the container instance. If true, if the container instance receives a [spot interruption notice](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-interruptions.html), agent will set the instance's status to [DRAINING](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-draining.html), which gracefully shuts down and replaces all tasks running on the instance that are part of a service. It is recommended that this be set to `true` when using spot instances. | `false` | `false` | | `ECS_LOG_ROLLOVER_TYPE` | `size` | `hourly` | Determines whether the container agent logfile will be rotated based on size or hourly. By default, the agent logfile is rotated each hour. | `hourly` | `hourly` | | `ECS_LOG_OUTPUT_FORMAT` | `logfmt` | `json` | Determines the log output format. When the json format is used, each line in the log would be a structured JSON map. | `logfmt` | `logfmt` | diff --git a/agent/credentials/providers/rotating_shared_credentials_provider.go b/agent/credentials/providers/rotating_shared_credentials_provider.go index bc829781950..a0c0a269c1f 100644 --- a/agent/credentials/providers/rotating_shared_credentials_provider.go +++ b/agent/credentials/providers/rotating_shared_credentials_provider.go @@ -15,6 +15,7 @@ package providers import ( "fmt" + "os" "time" "github.com/aws/aws-sdk-go/aws/credentials" @@ -22,6 +23,8 @@ import ( ) const ( + ALTERNATE_CREDENTIAL_PROFILE_ENV_VAR = "ECS_ALTERNATE_CREDENTIAL_PROFILE" + DEFAULT_CREDENTIAL_PROFILE = "default" // defaultRotationInterval is how frequently to expire and re-retrieve the credentials from file. defaultRotationInterval = time.Minute // RotatingSharedCredentialsProviderName is the name of this provider @@ -41,11 +44,17 @@ type RotatingSharedCredentialsProvider struct { // NewRotatingSharedCredentials returns a rotating shared credentials provider // with default values set. func NewRotatingSharedCredentialsProvider() *RotatingSharedCredentialsProvider { + var credentialProfile = DEFAULT_CREDENTIAL_PROFILE + if alternateCredentialProfile := os.Getenv(ALTERNATE_CREDENTIAL_PROFILE_ENV_VAR); alternateCredentialProfile != "" { + seelog.Infof("Overriding %s credential profile; using: %s.", DEFAULT_CREDENTIAL_PROFILE, alternatCredentialProfile) + credentialProfile = alternateCredentialProfile + } + return &RotatingSharedCredentialsProvider{ RotationInterval: defaultRotationInterval, sharedCredentialsProvider: &credentials.SharedCredentialsProvider{ Filename: defaultRotatingCredentialsFilename, - Profile: "default", + Profile: credentialProfile, }, } } diff --git a/agent/credentials/providers/rotating_shared_credentials_provider_test.go b/agent/credentials/providers/rotating_shared_credentials_provider_test.go index c1a15d63b18..6f7b521b524 100644 --- a/agent/credentials/providers/rotating_shared_credentials_provider_test.go +++ b/agent/credentials/providers/rotating_shared_credentials_provider_test.go @@ -33,6 +33,15 @@ func TestNewRotatingSharedCredentialsProvider(t *testing.T) { require.Equal(t, defaultRotatingCredentialsFilename, p.sharedCredentialsProvider.Filename) } +func TestNewRotatingSharedCredentialsProviderExternal(t *testing.T) { + os.Setenv("ECS_ALTERNATE_CREDENTIAL_PROFILE", "external") + defer os.Unsetenv("ECS_ALTERNATE_CREDENTIAL_PROFILE") + p := NewRotatingSharedCredentialsProvider() + require.Equal(t, time.Minute, p.RotationInterval) + require.Equal(t, "external", p.sharedCredentialsProvider.Profile) + require.Equal(t, defaultRotatingCredentialsFilename, p.sharedCredentialsProvider.Filename) +} + func TestRotatingSharedCredentialsProvider_RetrieveFail_BadPath(t *testing.T) { p := NewRotatingSharedCredentialsProvider() p.sharedCredentialsProvider.Filename = "/foo/bar/baz/bad/path"