Skip to content

Commit

Permalink
provider/aws: Check credentials before attempting to do anything
Browse files Browse the repository at this point in the history
  • Loading branch information
catsby committed Jul 14, 2015
1 parent eedcb40 commit 975e1a6
Showing 1 changed file with 27 additions and 6 deletions.
33 changes: 27 additions & 6 deletions builtin/providers/aws/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"github.com/hashicorp/terraform/helper/multierror"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/service/autoscaling"
"github.com/aws/aws-sdk-go/service/cloudwatch"
Expand Down Expand Up @@ -85,6 +86,14 @@ func (c *Config) Client() (interface{}, error) {
MaxRetries: c.MaxRetries,
}

log.Println("[INFO] Initializing IAM Connection")
client.iamconn = iam.New(awsConfig)

err := c.ValidateCredentials(client.iamconn)
if err != nil {
errs = append(errs, err)
}

log.Println("[INFO] Initializing DynamoDB connection")
client.dynamodbconn = dynamodb.New(awsConfig)

Expand All @@ -103,15 +112,12 @@ func (c *Config) Client() (interface{}, error) {
log.Println("[INFO] Initializing RDS Connection")
client.rdsconn = rds.New(awsConfig)

log.Println("[INFO] Initializing IAM Connection")
client.iamconn = iam.New(awsConfig)

log.Println("[INFO] Initializing Kinesis Connection")
client.kinesisconn = kinesis.New(awsConfig)

err := c.ValidateAccountId(client.iamconn)
if err != nil {
errs = append(errs, err)
authErr := c.ValidateAccountId(client.iamconn)
if authErr != nil {
errs = append(errs, authErr)
}

log.Println("[INFO] Initializing AutoScaling connection")
Expand Down Expand Up @@ -165,6 +171,21 @@ func (c *Config) ValidateRegion() error {
return fmt.Errorf("Not a valid region: %s", c.Region)
}

// Validate credentials early and fail before we do any graph walking
func (c *Config) ValidateCredentials(iamconn *iam.IAM) error {
_, err := iamconn.GetUser(nil)
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "SignatureDoesNotMatch" {
return fmt.Errorf("Failed authenticating with AWS: please verify credentials")
}
}
return err
}

return nil
}

// ValidateAccountId returns a context-specific error if the configured account
// id is explicitly forbidden or not authorised; and nil if it is authorised.
func (c *Config) ValidateAccountId(iamconn *iam.IAM) error {
Expand Down

0 comments on commit 975e1a6

Please sign in to comment.