Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add configurable default profile #3365

Merged
merged 1 commit into from
Aug 29, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
add configurable alternate credential profile
fierlion committed Aug 29, 2022
commit cd80eecd7ef7ae1785b493c0dc1abc950f1cd437
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -184,6 +184,7 @@ additional details on each available environment variable.
| `ECS_EXCLUDE_UNTRACKED_IMAGE` | `alpine:latest` | Comma seperated list of `imageName:tag` of images that should not be deleted by the ECS agent if `ECS_ENABLE_UNTRACKED_IMAGE_CLEANUP` is enabled. | | |
| `ECS_DISABLE_DOCKER_HEALTH_CHECK` | `false` | Whether to disable the Docker Container health check for the ECS Agent. | `false` | `false` |
| `ECS_NVIDIA_RUNTIME` | nvidia | The Nvidia Runtime to be used to pass Nvidia GPU devices to containers. | nvidia | Not Applicable |
| `ECS_ALTERNATE_CREDENTIAL_PROFILE` | default | An alternate credential role/profile name. | default | default |
| `ECS_ENABLE_SPOT_INSTANCE_DRAINING` | `true` | Whether to enable Spot Instance draining for the container instance. If true, if the container instance receives a [spot interruption notice](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-interruptions.html), agent will set the instance's status to [DRAINING](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-draining.html), which gracefully shuts down and replaces all tasks running on the instance that are part of a service. It is recommended that this be set to `true` when using spot instances. | `false` | `false` |
| `ECS_LOG_ROLLOVER_TYPE` | `size` | `hourly` | Determines whether the container agent logfile will be rotated based on size or hourly. By default, the agent logfile is rotated each hour. | `hourly` | `hourly` |
| `ECS_LOG_OUTPUT_FORMAT` | `logfmt` | `json` | Determines the log output format. When the json format is used, each line in the log would be a structured JSON map. | `logfmt` | `logfmt` |
Original file line number Diff line number Diff line change
@@ -15,13 +15,16 @@ package providers

import (
"fmt"
"os"
"time"

"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/cihub/seelog"
)

const (
ALTERNATE_CREDENTIAL_PROFILE_ENV_VAR = "ECS_ALTERNATE_CREDENTIAL_PROFILE"
DEFAULT_CREDENTIAL_PROFILE = "default"
// defaultRotationInterval is how frequently to expire and re-retrieve the credentials from file.
defaultRotationInterval = time.Minute
// RotatingSharedCredentialsProviderName is the name of this provider
@@ -41,11 +44,17 @@ type RotatingSharedCredentialsProvider struct {
// NewRotatingSharedCredentials returns a rotating shared credentials provider
// with default values set.
func NewRotatingSharedCredentialsProvider() *RotatingSharedCredentialsProvider {
var credentialProfile = DEFAULT_CREDENTIAL_PROFILE
if alternateCredentialProfile := os.Getenv(ALTERNATE_CREDENTIAL_PROFILE_ENV_VAR); alternateCredentialProfile != "" {
seelog.Infof("Overriding %s credential profile; using: %s.", DEFAULT_CREDENTIAL_PROFILE, alternateCredentialProfile)
credentialProfile = alternateCredentialProfile
}

return &RotatingSharedCredentialsProvider{
RotationInterval: defaultRotationInterval,
sharedCredentialsProvider: &credentials.SharedCredentialsProvider{
Filename: defaultRotatingCredentialsFilename,
Profile: "default",
Profile: credentialProfile,
},
}
}
Original file line number Diff line number Diff line change
@@ -33,6 +33,15 @@ func TestNewRotatingSharedCredentialsProvider(t *testing.T) {
require.Equal(t, defaultRotatingCredentialsFilename, p.sharedCredentialsProvider.Filename)
}

func TestNewRotatingSharedCredentialsProviderExternal(t *testing.T) {
os.Setenv("ECS_ALTERNATE_CREDENTIAL_PROFILE", "external")
defer os.Unsetenv("ECS_ALTERNATE_CREDENTIAL_PROFILE")
p := NewRotatingSharedCredentialsProvider()
require.Equal(t, time.Minute, p.RotationInterval)
require.Equal(t, "external", p.sharedCredentialsProvider.Profile)
require.Equal(t, defaultRotatingCredentialsFilename, p.sharedCredentialsProvider.Filename)
}

func TestRotatingSharedCredentialsProvider_RetrieveFail_BadPath(t *testing.T) {
p := NewRotatingSharedCredentialsProvider()
p.sharedCredentialsProvider.Filename = "/foo/bar/baz/bad/path"