provider/aws: Fail silently in ValidateCredentials for IAM users

hashicorp · Aug 7, 2015 · 31fab62 · 31fab62
1 parent f238e25
commit 31fab62
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go
@@ -180,11 +180,21 @@ func (c *Config) ValidateRegion() error {
  return fmt.Errorf("Not a valid region: %s", c.Region)
 }
 
-// Validate credentials early and fail before we do any graph walking
+// Validate credentials early and fail before we do any graph walking.
+// In the case of an IAM role/profile with insuffecient privileges, fail
+// silently
 func (c *Config) ValidateCredentials(iamconn *iam.IAM) error {
  _, err := iamconn.GetUser(nil)
 
  if awsErr, ok := err.(awserr.Error); ok {
+
+ if awsErr.Code() == "AccessDenied" {
+ log.Printf("[WARN] AccessDenied Error with iam.GetUser, assuming IAM profile")
+ // User may be an IAM instance profile, or otherwise IAM role without the
+ // GetUser permissions, so fail silently
+ return nil
+ }
+
  if awsErr.Code() == "SignatureDoesNotMatch" {
  return fmt.Errorf("Failed authenticating with AWS: please verify credentials")
  }