Skip to content

Commit

Permalink
Merge pull request #292 from test-kitchen/revert-227-support-sts-assu…
Browse files Browse the repository at this point in the history 
…me-role

Revert "Add support for "Assume Role" credentials"
  • Loading branch information
Seth Thomas authored Feb 7, 2017
2 parents 31fac63 + 9fb49ab commit 2549243
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 115 deletions.
29 changes: 7 additions & 22 deletions lib/kitchen/driver/aws/client.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,10 @@ def initialize( # rubocop:disable Metrics/ParameterLists
secret_access_key = nil,
session_token = nil,
http_proxy = nil,
retry_limit = nil,
options = {}
retry_limit = nil
)
creds = self.class.get_credentials(
profile_name, access_key_id, secret_access_key, session_token, region, options
profile_name, access_key_id, secret_access_key, session_token
)
::Aws.config.update(
:region => region,
Expand All @@ -56,34 +55,20 @@ def initialize( # rubocop:disable Metrics/ParameterLists
# Try and get the credentials from an ordered list of locations
# http://docs.aws.amazon.com/sdkforruby/api/index.html#Configuration
# rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
# rubocop:disable Metrics/ParameterLists, Metrics/MethodLength
def self.get_credentials(profile_name, access_key_id, secret_access_key, session_token,
region, options = {})
def self.get_credentials(profile_name, access_key_id, secret_access_key, session_token)
shared_creds = ::Aws::SharedCredentials.new(:profile_name => profile_name)
if access_key_id && secret_access_key
source_creds = ::Aws::Credentials.new(access_key_id, secret_access_key, session_token)

::Aws::Credentials.new(access_key_id, secret_access_key, session_token)
elsif ENV["AWS_ACCESS_KEY_ID"] && ENV["AWS_SECRET_ACCESS_KEY"]
source_creds = ::Aws::Credentials.new(
::Aws::Credentials.new(
ENV["AWS_ACCESS_KEY_ID"],
ENV["AWS_SECRET_ACCESS_KEY"],
ENV["AWS_SESSION_TOKEN"]
)
elsif shared_creds.loadable?
source_creds = shared_creds
else
source_creds = ::Aws::InstanceProfileCredentials.new(:retries => 1)
end
if options[:assume_role_arn] && options[:assume_role_session_name]
sts = ::Aws::STS::Client.new(:credentials => source_creds, :region => region)
assume_role_options = (options[:assume_role_options] || {}).merge(
:client => sts,
:role_arn => options[:assume_role_arn],
:role_session_name => options[:assume_role_session_name]
)
::Aws::AssumeRoleCredentials.new(assume_role_options)
shared_creds
else
source_creds
::Aws::InstanceProfileCredentials.new(:retries => 1)
end
end
# rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
Expand Down
9 changes: 1 addition & 8 deletions lib/kitchen/driver/ec2.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,6 @@ class Ec2 < Kitchen::Driver::Base # rubocop:disable Metrics/ClassLength
default_config :tenancy, "default"
default_config :instance_initiated_shutdown_behavior, nil

default_config :assume_role_arn, nil
default_config :assume_role_session_name, nil
default_config :assume_role_options, {}

def initialize(*args, &block)
super
# AWS Ruby SDK loading isn't thread safe, so as soon as we know we're
Expand Down Expand Up @@ -327,10 +323,7 @@ def ec2
config[:aws_secret_access_key],
config[:aws_session_token],
config[:http_proxy],
config[:retry_limit],
:assume_role_arn => config[:assume_role_arn],
:assume_role_session_name => config[:assume_role_session_name],
:assume_role_options => config[:assume_role_options]
config[:retry_limit]
)
end

Expand Down
90 changes: 5 additions & 85 deletions spec/kitchen/driver/ec2/client_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,24 +33,12 @@
it "loads IAM credentials last" do
expect(shared).to receive(:loadable?).and_return(false)
expect(Aws::InstanceProfileCredentials).to receive(:new).and_return(iam)
expect(Kitchen::Driver::Aws::Client.get_credentials(
"profile",
nil,
nil,
nil,
"us-west-1"
)).to eq(iam)
expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil)).to eq(iam)
end

it "loads shared credentials second to last" do
expect(shared).to receive(:loadable?).and_return(true)
expect(Kitchen::Driver::Aws::Client.get_credentials(
"profile",
nil,
nil,
nil,
"us-west-1"
)).to eq(shared)
expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil)).to eq(shared)
end

it "loads shared credentials third to last" do
Expand All @@ -60,13 +48,7 @@
"AWS_SECRET_ACCESS_KEY" => "value1",
"AWS_SESSION_TOKEN" => "token1"
) do
expect(Kitchen::Driver::Aws::Client.get_credentials(
"profile",
nil,
nil,
nil,
"us-west-1"
)).to \
expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil)).to \
be_a(Aws::Credentials).and have_attributes(
:access_key_id => "key1",
:secret_access_key => "value1",
Expand All @@ -77,13 +59,7 @@

it "loads provided credentials first" do
expect(shared).to_not receive(:loadable?)
expect(Kitchen::Driver::Aws::Client.get_credentials(
"profile",
"key3",
"value3",
nil,
"us-west-1"
)).to \
expect(Kitchen::Driver::Aws::Client.get_credentials("profile", "key3", "value3", nil)).to \
be_a(Aws::Credentials).and have_attributes(
:access_key_id => "key3",
:secret_access_key => "value3",
Expand All @@ -93,13 +69,7 @@

it "uses a session token if provided" do
expect(shared).to_not receive(:loadable?)
expect(Kitchen::Driver::Aws::Client.get_credentials(
"profile",
"key3",
"value3",
"t",
"us-west-1"
)).to \
expect(Kitchen::Driver::Aws::Client.get_credentials("profile", "key3", "value3", "t")).to \
be_a(Aws::Credentials).and have_attributes(
:access_key_id => "key3",
:secret_access_key => "value3",
Expand All @@ -108,56 +78,6 @@
end
end

describe "::get_credentials + STS AssumeRole" do
let(:shared) { instance_double(Aws::SharedCredentials) }
let(:iam) { instance_double(Aws::InstanceProfileCredentials) }
let(:assume_role) { instance_double(Aws::AssumeRoleCredentials) }
let(:sts_client) { instance_double(Aws::STS::Client) }

before do
expect(Aws::SharedCredentials).to \
receive(:new).with(:profile_name => "profile").and_return(shared)
expect(Aws::AssumeRoleCredentials).to \
receive(:new).with(
:client => sts_client,
:role_arn => "role_arn",
:role_session_name => "role_session_name"
).and_return(assume_role)
end

# nothing else is set, so we default to this
it "loads IAM credentials last" do
expect(Aws::STS::Client).to \
receive(:new).with(:credentials => iam, :region => "us-west-1").and_return(sts_client)

expect(shared).to receive(:loadable?).and_return(false)
expect(Aws::InstanceProfileCredentials).to receive(:new).and_return(iam)
expect(Kitchen::Driver::Aws::Client.get_credentials(
"profile",
nil,
nil,
nil,
"us-west-1",
:assume_role_arn => "role_arn", :assume_role_session_name => "role_session_name"
)).to eq(assume_role)
end

it "loads shared credentials second to last" do
expect(Aws::STS::Client).to \
receive(:new).with(:credentials => shared, :region => "us-west-1").and_return(sts_client)

expect(shared).to receive(:loadable?).and_return(true)
expect(Kitchen::Driver::Aws::Client.get_credentials(
"profile",
nil,
nil,
nil,
"us-west-1",
:assume_role_arn => "role_arn", :assume_role_session_name => "role_session_name"
)).to eq(assume_role)
end
end

let(:client) { Kitchen::Driver::Aws::Client.new("us-west-1") }

describe "#initialize" do
Expand Down

0 comments on commit 2549243

Please sign in to comment.