getCredentials - obtains the credentials from the IAM role name associated with the current EC2 service. If the credentials cannot be found, or there is an error reading the response an error will be returned.
(client *http.Client, endpoint string)
| 372 | // If the credentials cannot be found, or there is an error |
| 373 | // reading the response an error will be returned. |
| 374 | func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) { |
| 375 | if endpoint == "" { |
| 376 | endpoint = DefaultIAMRoleEndpoint |
| 377 | } |
| 378 | |
| 379 | // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html |
| 380 | token, err := fetchIMDSToken(client, endpoint) |
| 381 | if err != nil { |
| 382 | // Return only errors for valid situations, if the IMDSv2 is not enabled |
| 383 | // we will not be able to get the token, in such a situation we have |
| 384 | // to rely on IMDSv1 behavior as a fallback, this check ensures that. |
| 385 | // Refer https://github.com/minio/minio-go/issues/1866 |
| 386 | if !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) { |
| 387 | return ec2RoleCredRespBody{}, err |
| 388 | } |
| 389 | } |
| 390 | |
| 391 | // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html |
| 392 | u, err := getIAMRoleURL(endpoint) |
| 393 | if err != nil { |
| 394 | return ec2RoleCredRespBody{}, err |
| 395 | } |
| 396 | |
| 397 | // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html |
| 398 | roleNames, err := listRoleNames(client, u, token) |
| 399 | if err != nil { |
| 400 | return ec2RoleCredRespBody{}, err |
| 401 | } |
| 402 | |
| 403 | if len(roleNames) == 0 { |
| 404 | return ec2RoleCredRespBody{}, errors.New("No IAM roles attached to this EC2 service") |
| 405 | } |
| 406 | |
| 407 | // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html |
| 408 | // - An instance profile can contain only one IAM role. This limit cannot be increased. |
| 409 | roleName := roleNames[0] |
| 410 | |
| 411 | // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html |
| 412 | // The following command retrieves the security credentials for an |
| 413 | // IAM role named `s3access`. |
| 414 | // |
| 415 | // $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access |
| 416 | // |
| 417 | u.Path = path.Join(u.Path, roleName) |
| 418 | req, err := http.NewRequest(http.MethodGet, u.String(), nil) |
| 419 | if err != nil { |
| 420 | return ec2RoleCredRespBody{}, err |
| 421 | } |
| 422 | if token != "" { |
| 423 | req.Header.Add(TokenRequestHeader, token) |
| 424 | } |
| 425 | |
| 426 | resp, err := client.Do(req) |
| 427 | if err != nil { |
| 428 | return ec2RoleCredRespBody{}, err |
| 429 | } |
| 430 | defer resp.Body.Close() |
| 431 | if resp.StatusCode != http.StatusOK { |
no test coverage detected