From 30024ddb578d4ef740234501ff14ebefa3491d9e Mon Sep 17 00:00:00 2001 From: Jason Hoetger Date: Wed, 3 May 2017 17:16:44 -0700 Subject: [PATCH] Added support for Task Roles when running on ECS or CodeBuild --- builtin/providers/aws/auth_helpers.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/builtin/providers/aws/auth_helpers.go b/builtin/providers/aws/auth_helpers.go index e808d4d39071..673e4aa9562b 100644 --- a/builtin/providers/aws/auth_helpers.go +++ b/builtin/providers/aws/auth_helpers.go @@ -13,6 +13,7 @@ import ( awsCredentials "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/defaults" "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/iam" @@ -95,7 +96,7 @@ func parseAccountInfoFromArn(arn string) (string, string, error) { // environment in the case that they're not explicitly specified // in the Terraform configuration. func GetCredentials(c *Config) (*awsCredentials.Credentials, error) { - // build a chain provider, lazy-evaulated by aws-sdk + // build a chain provider, lazy-evaluated by aws-sdk providers := []awsCredentials.Provider{ &awsCredentials.StaticProvider{Value: awsCredentials.Value{ AccessKeyID: c.AccessKey, @@ -119,6 +120,12 @@ func GetCredentials(c *Config) (*awsCredentials.Credentials, error) { } usedEndpoint := setOptionalEndpoint(cfg) + // Add the default AWS provider for ECS Task Roles if the relevant env variable is set + if uri := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"); len(uri) > 0 { + providers = append(providers, defaults.RemoteCredProvider(*cfg, defaults.Handlers())) + log.Print("[INFO] ECS container credentials detected, RemoteCredProvider added to auth chain") + } + if !c.SkipMetadataApiCheck { // Real AWS should reply to a simple metadata request. // We check it actually does to ensure something else didn't just