From 31fab62bfdd7da3c5c9257b75ed51b91029f4fdf Mon Sep 17 00:00:00 2001 From: Clint Shryock Date: Fri, 7 Aug 2015 09:49:59 -0500 Subject: [PATCH 1/2] provider/aws: Fail silently in ValidateCredentials for IAM users --- builtin/providers/aws/config.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go index c99a66c523fc..393753115360 100644 --- a/builtin/providers/aws/config.go +++ b/builtin/providers/aws/config.go @@ -180,11 +180,21 @@ func (c *Config) ValidateRegion() error { return fmt.Errorf("Not a valid region: %s", c.Region) } -// Validate credentials early and fail before we do any graph walking +// Validate credentials early and fail before we do any graph walking. +// In the case of an IAM role/profile with insuffecient privileges, fail +// silently func (c *Config) ValidateCredentials(iamconn *iam.IAM) error { _, err := iamconn.GetUser(nil) if awsErr, ok := err.(awserr.Error); ok { + + if awsErr.Code() == "AccessDenied" { + log.Printf("[WARN] AccessDenied Error with iam.GetUser, assuming IAM profile") + // User may be an IAM instance profile, or otherwise IAM role without the + // GetUser permissions, so fail silently + return nil + } + if awsErr.Code() == "SignatureDoesNotMatch" { return fmt.Errorf("Failed authenticating with AWS: please verify credentials") } From eb90457223b065e80e8f0e7d5e25c6ba18c3910f Mon Sep 17 00:00:00 2001 From: Clint Shryock Date: Fri, 7 Aug 2015 11:55:44 -0500 Subject: [PATCH 2/2] guard on both accessdenied (no IAM policy) and validationerror (no username specified) --- builtin/providers/aws/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go index 393753115360..0cdcd90ddc85 100644 --- a/builtin/providers/aws/config.go +++ b/builtin/providers/aws/config.go @@ -188,7 +188,7 @@ func (c *Config) ValidateCredentials(iamconn *iam.IAM) error { if awsErr, ok := err.(awserr.Error); ok { - if awsErr.Code() == "AccessDenied" { + if awsErr.Code() == "AccessDenied" || awsErr.Code() == "ValidationError" { log.Printf("[WARN] AccessDenied Error with iam.GetUser, assuming IAM profile") // User may be an IAM instance profile, or otherwise IAM role without the // GetUser permissions, so fail silently