Permalink
Browse files

Don't pull the security token from the environment or config

when a caller supplies the access key and secret
  • Loading branch information...
1 parent 0a97158 commit 520760c4db4268fe89e2d11a1a4d1725f0e32ac8 @jimbrowne jimbrowne committed Feb 25, 2014
Showing with 15 additions and 1 deletion.
  1. +6 −1 boto/provider.py
  2. +9 −0 tests/unit/provider/test_provider.py
View
@@ -289,7 +289,12 @@ def get_credentials(self, access_key=None, secret_key=None,
if security_token is not None:
self.security_token = security_token
boto.log.debug("Using security token provided by client.")
- elif security_token_name is not None:
+ elif ((security_token_name is not None) and
+ (access_key is None) and (secret_key is None)):
+ # Only provide a token from the environment/config if the
+ # caller did not specify a key and secret. Otherwise an
+ # environment/config token could be paired with a
+ # different set of credentials provided by the caller
if security_token_name.upper() in os.environ:
self.security_token = os.environ[security_token_name.upper()]
boto.log.debug("Using security token found in environment"
@@ -155,6 +155,15 @@ def test_keyring_is_used(self):
if not imported:
del sys.modules['keyring']
+ def test_passed_in_values_beat_env_vars(self):
+ self.environ['AWS_ACCESS_KEY_ID'] = 'env_access_key'
+ self.environ['AWS_SECRET_ACCESS_KEY'] = 'env_secret_key'
+ self.environ['AWS_SECURITY_TOKEN'] = 'env_security_token'
+ p = provider.Provider('aws', 'access_key', 'secret_key')
+ self.assertEqual(p.access_key, 'access_key')
+ self.assertEqual(p.secret_key, 'secret_key')
+ self.assertEqual(p.security_token, None)
+
def test_env_vars_beat_config_values(self):
self.environ['AWS_ACCESS_KEY_ID'] = 'env_access_key'
self.environ['AWS_SECRET_ACCESS_KEY'] = 'env_secret_key'

0 comments on commit 520760c

Please sign in to comment.