diff --git a/lib/kitchen/driver/aws/client.rb b/lib/kitchen/driver/aws/client.rb index 5d409ddf..7b90ab88 100644 --- a/lib/kitchen/driver/aws/client.rb +++ b/lib/kitchen/driver/aws/client.rb @@ -61,25 +61,28 @@ def self.get_credentials(profile_name, access_key_id, secret_access_key, session region, options = {}) if access_key_id && secret_access_key source_creds = ::Aws::Credentials.new(access_key_id, secret_access_key, session_token) - elsif ENV["AWS_ACCESS_KEY_ID"] && ENV["AWS_SECRET_ACCESS_KEY"] source_creds = ::Aws::Credentials.new( ENV["AWS_ACCESS_KEY_ID"], ENV["AWS_SECRET_ACCESS_KEY"], ENV["AWS_SESSION_TOKEN"] ) - elsif shared_creds = ::Aws::SharedCredentials.new(:profile_name => profile_name) - source_creds = shared_creds + elsif profile_name + # require 'pry'; binding.pry + source_creds = ::Aws::SharedCredentials.new(:profile_name => profile_name) else source_creds = ::Aws::InstanceProfileCredentials.new(:retries => 1) end + if options[:assume_role_arn] && options[:assume_role_session_name] sts = ::Aws::STS::Client.new(:credentials => source_creds, :region => region) + assume_role_options = (options[:assume_role_options] || {}).merge( :client => sts, :role_arn => options[:assume_role_arn], :role_session_name => options[:assume_role_session_name] ) + ::Aws::AssumeRoleCredentials.new(assume_role_options) else source_creds diff --git a/spec/kitchen/driver/ec2/client_spec.rb b/spec/kitchen/driver/ec2/client_spec.rb index 5a0273fb..6f26e74b 100644 --- a/spec/kitchen/driver/ec2/client_spec.rb +++ b/spec/kitchen/driver/ec2/client_spec.rb @@ -29,7 +29,7 @@ allow(Aws::InstanceProfileCredentials).to receive(:new).and_return(iam) env_creds(nil, nil) do - expect(Kitchen::Driver::Aws::Client.get_credentials(nil, nil, nil, nil)).to eq(iam) + expect(Kitchen::Driver::Aws::Client.get_credentials(nil, nil, nil, nil, nil)).to eq(iam) end end @@ -40,13 +40,13 @@ receive(:new).with(:profile_name => "profile").and_return(shared) env_creds(nil, nil) do - expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil)).to eq(shared) + expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil, nil)).to eq(shared) end end it "loads credentials from the environment third to last" do env_creds("key_id", "secret") do - expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil)).to \ + expect(Kitchen::Driver::Aws::Client.get_credentials("profile", nil, nil, nil, nil)).to \ be_a(Aws::Credentials).and have_attributes( :access_key_id => "key_id", :secret_access_key => "secret" @@ -55,7 +55,6 @@ end it "loads provided credentials first" do - expect(shared).to_not receive(:loadable?) expect(Kitchen::Driver::Aws::Client.get_credentials( "profile", "key3", @@ -71,7 +70,6 @@ end it "uses a session token if provided" do - expect(shared).to_not receive(:loadable?) expect(Kitchen::Driver::Aws::Client.get_credentials( "profile", "key3", @@ -94,8 +92,6 @@ let(:sts_client) { instance_double(Aws::STS::Client) } before do - expect(Aws::SharedCredentials).to \ - receive(:new).with(:profile_name => "profile").and_return(shared) expect(Aws::AssumeRoleCredentials).to \ receive(:new).with( :client => sts_client, @@ -105,14 +101,14 @@ end # nothing else is set, so we default to this - it "loads IAM credentials last" do + it "loads an Instance Profile last" do + expect(Aws::InstanceProfileCredentials).to \ + receive(:new).and_return(iam) expect(Aws::STS::Client).to \ receive(:new).with(:credentials => iam, :region => "us-west-1").and_return(sts_client) - expect(shared).to receive(:loadable?).and_return(false) - expect(Aws::InstanceProfileCredentials).to receive(:new).and_return(iam) expect(Kitchen::Driver::Aws::Client.get_credentials( - "profile", + nil, nil, nil, nil, @@ -122,10 +118,10 @@ end it "loads shared credentials second to last" do + expect(::Aws::SharedCredentials).to receive(:new).with(profile_name: "profile").and_return(shared) expect(Aws::STS::Client).to \ receive(:new).with(:credentials => shared, :region => "us-west-1").and_return(sts_client) - expect(shared).to receive(:loadable?).and_return(true) expect(Kitchen::Driver::Aws::Client.get_credentials( "profile", nil,