Merge 80c8d9c into aa7b379

CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Improved exception messages in credential providers to exclude detailed parse errors that may contain sensitive information. 
+
 2.11.284 (2019-05-29)
 ------------------
 

aws-sdk-core/lib/aws-sdk-core/ecs_credentials.rb

@@ -60,7 +60,7 @@ def initialize options = {}
       super
     end
 
-    # @return [Integer] The number of times to retry failed atttempts to
+    # @return [Integer] The number of times to retry failed attempts to
     #   fetch credentials from the instance metadata service. Defaults to 0.
     attr_reader :retries
 
@@ -78,14 +78,18 @@ def refresh
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
-        c = JSON.parse(get_credentials.to_s)
-        @credentials = Credentials.new(
-          c['AccessKeyId'],
-          c['SecretAccessKey'],
-          c['Token']
-        )
-        @expiration = c['Expiration'] ? Time.parse(c['Expiration']) : nil
+      begin
+        retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
+          c = JSON.parse(get_credentials.to_s)
+          @credentials = Credentials.new(
+            c['AccessKeyId'],
+            c['SecretAccessKey'],
+            c['Token']
+          )
+          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+        end
+      rescue JSON::ParserError
+        raise Aws::Errors::MetadataParserError.new
       end
     end
 
@@ -126,7 +130,7 @@ def retry_errors(error_classes, options = {}, &block)
       retries = 0
       begin
         yield
-      rescue *error_classes => error
+      rescue *error_classes => _error
         if retries < max_retries
           @backoff.call(retries)
           retries += 1

aws-sdk-core/lib/aws-sdk-core/errors.rb

@@ -34,6 +34,15 @@ class << self
       end
     end
 
+    # Raised when InstanceProfileCredentialsProvider or
+    # EcsCredentialsProvider fails to parse the metadata response after retries
+    class MetadataParserError < RuntimeError
+      def initialize(*args)
+        msg = "Failed to parse metadata service response."
+        super(msg)
+      end
+    end
+
     # Various plugins perform client-side checksums of responses.
     # This error indicates a checksum failed.
     class ChecksumError < RuntimeError; end

aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -51,7 +51,7 @@ def initialize options = {}
       super
     end
 
-    # @return [Integer] The number of times to retry failed atttempts to
+    # @return [Integer] The number of times to retry failed attempts to
     #   fetch credentials from the instance metadata service. Defaults to 0.
     attr_reader :retries
 
@@ -69,14 +69,18 @@ def refresh
       # Retry loading credentials up to 3 times is the instance metadata
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
-      retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
-        c = JSON.parse(get_credentials.to_s)
-        @credentials = Credentials.new(
-          c['AccessKeyId'],
-          c['SecretAccessKey'],
-          c['Token']
-        )
-        @expiration = c['Expiration'] ? Time.parse(c['Expiration']) : nil
+      begin
+        retry_errors([JSON::ParserError, StandardError], max_retries: 3) do
+          c = JSON.parse(get_credentials.to_s)
+          @credentials = Credentials.new(
+            c['AccessKeyId'],
+            c['SecretAccessKey'],
+            c['Token']
+          )
+          @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
+        end
+      rescue JSON::ParserError
+        raise Aws::Errors::MetadataParserError.new
       end
     end
 

aws-sdk-core/spec/aws/ecs_credentials_spec.rb

@@ -106,7 +106,10 @@ module Aws
           to_return(:status => 200, :body => ' ')
         expect {
           ECSCredentials.new(backoff:0)
-        }.to raise_error(JSON::ParserError)
+        }.to raise_error(
+          Aws::Errors::MetadataParserError,
+          'Failed to parse metadata service response.'
+        )
       end
 
       it 'retries errors parsing expiration time 3 times' do

aws-sdk-core/spec/aws/instance_profile_credentials_spec.rb

@@ -157,7 +157,10 @@ module Aws
           to_return(:status => 200, :body => ' ')
         expect {
           InstanceProfileCredentials.new(backoff:0)
-        }.to raise_error(JSON::ParserError)
+        }.to raise_error(
+          Aws::Errors::MetadataParserError,
+          'Failed to parse metadata service response.'
+        )
       end
 
       it 'retries errors parsing expiration time 3 times' do