MCPcopy
hub / github.com/minio/minio-go / getCredentials

Function getCredentials

pkg/credentials/iam_aws.go:374–446  ·  view source on GitHub ↗

getCredentials - obtains the credentials from the IAM role name associated with the current EC2 service. If the credentials cannot be found, or there is an error reading the response an error will be returned.

(client *http.Client, endpoint string)

Source from the content-addressed store, hash-verified

372// If the credentials cannot be found, or there is an error
373// reading the response an error will be returned.
374func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) {
375 if endpoint == "" {
376 endpoint = DefaultIAMRoleEndpoint
377 }
378
379 // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
380 token, err := fetchIMDSToken(client, endpoint)
381 if err != nil {
382 // Return only errors for valid situations, if the IMDSv2 is not enabled
383 // we will not be able to get the token, in such a situation we have
384 // to rely on IMDSv1 behavior as a fallback, this check ensures that.
385 // Refer https://github.com/minio/minio-go/issues/1866
386 if !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) {
387 return ec2RoleCredRespBody{}, err
388 }
389 }
390
391 // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
392 u, err := getIAMRoleURL(endpoint)
393 if err != nil {
394 return ec2RoleCredRespBody{}, err
395 }
396
397 // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
398 roleNames, err := listRoleNames(client, u, token)
399 if err != nil {
400 return ec2RoleCredRespBody{}, err
401 }
402
403 if len(roleNames) == 0 {
404 return ec2RoleCredRespBody{}, errors.New("No IAM roles attached to this EC2 service")
405 }
406
407 // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
408 // - An instance profile can contain only one IAM role. This limit cannot be increased.
409 roleName := roleNames[0]
410
411 // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
412 // The following command retrieves the security credentials for an
413 // IAM role named `s3access`.
414 //
415 // $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
416 //
417 u.Path = path.Join(u.Path, roleName)
418 req, err := http.NewRequest(http.MethodGet, u.String(), nil)
419 if err != nil {
420 return ec2RoleCredRespBody{}, err
421 }
422 if token != "" {
423 req.Header.Add(TokenRequestHeader, token)
424 }
425
426 resp, err := client.Do(req)
427 if err != nil {
428 return ec2RoleCredRespBody{}, err
429 }
430 defer resp.Body.Close()
431 if resp.StatusCode != http.StatusOK {

Callers 1

Calls 8

fetchIMDSTokenFunction · 0.85
getIAMRoleURLFunction · 0.85
listRoleNamesFunction · 0.85
DoMethod · 0.80
IsMethod · 0.45
StringMethod · 0.45
AddMethod · 0.45
CloseMethod · 0.45

Tested by

no test coverage detected