fix: remove custom credentials chain to use default (#2485)

* fix: remove custom credentials chain to use default
rudderlabs · Sep 27, 2022 · de0fe36 · de0fe36
1 parent 33ba5ef
commit de0fe36
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 29 deletions.
diff --git a/utils/awsutils/session.go b/utils/awsutils/session.go
@@ -9,9 +9,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
-	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/mitchellh/mapstructure"
 	backendconfig "github.com/rudderlabs/rudder-server/config/backend-config"
@@ -46,6 +44,9 @@ func createDefaultSession(config *SessionConfig) (*session.Session, error) {
 }
 
 func createCredentailsForRole(config *SessionConfig) (*credentials.Credentials, error) {
+	if config.ExternalID == "" {
+		return nil, errors.New("externalID is required for IAM role")
+	}
 	hostSession, err := createDefaultSession(config)
 	if err != nil {
 		return nil, err
@@ -57,43 +58,29 @@ func createCredentailsForRole(config *SessionConfig) (*credentials.Credentials,
 		}), err
 }
 
-func getHostCredentials(config *SessionConfig) (*credentials.Credentials, error) {
-	hostSession, err := createDefaultSession(config)
-	if err != nil {
-		return nil, err
-	}
-	return credentials.NewChainCredentials(
-		[]credentials.Provider{
-			&credentials.EnvProvider{},
-			&ec2rolecreds.EC2RoleProvider{
-				Client: ec2metadata.New(hostSession),
-			},
-		}), nil
-}
-
-func createCredentails(config *SessionConfig) (*credentials.Credentials, error) {
+func CreateSession(config *SessionConfig) (*session.Session, error) {
+	var (
+		awsCredentials *credentials.Credentials
+		err            error
+	)
 	if config.IAMRoleARN != "" {
-		return createCredentailsForRole(config)
+		awsCredentials, err = createCredentailsForRole(config)
 	} else if config.AccessKey != "" && config.AccessKeyID != "" {
-		return credentials.NewStaticCredentials(config.AccessKeyID, config.AccessKey, ""), nil
+		awsCredentials, err = credentials.NewStaticCredentials(config.AccessKeyID, config.AccessKey, ""), nil
 	}
-	return getHostCredentials(config)
-}
-
-func CreateSession(config *SessionConfig) (*session.Session, error) {
-	awsCredentials, err := createCredentails(config)
 	if err != nil {
 		return nil, err
 	}
 	return session.NewSession(&aws.Config{
 		HTTPClient: &http.Client{
 			Timeout: config.Timeout,
 		},
-		Region:           aws.String(config.Region),
-		Credentials:      awsCredentials,
-		Endpoint:         config.Endpoint,
-		S3ForcePathStyle: config.S3ForcePathStyle,
-		DisableSSL:       config.DisableSSL,
+		Region:                        aws.String(config.Region),
+		CredentialsChainVerboseErrors: aws.Bool(true),
+		Credentials:                   awsCredentials,
+		Endpoint:                      config.Endpoint,
+		S3ForcePathStyle:              config.S3ForcePathStyle,
+		DisableSSL:                    config.DisableSSL,
 	})
 }
 

diff --git a/utils/awsutils/session_test.go b/utils/awsutils/session_test.go
@@ -108,6 +108,18 @@ func TestCreateSessionWithRole(t *testing.T) {
 	assert.Equal(t, sessionConfig.Timeout, awsSession.Config.HTTPClient.Timeout)
 }
 
+func TestCreateSessionWithRoleButWithoutExternalID(t *testing.T) {
+	sessionConfig := SessionConfig{
+		Region:     someRegion,
+		IAMRoleARN: someIAMRoleARN,
+		Timeout:    10 * time.Second,
+	}
+	awsSession, err := CreateSession(&sessionConfig)
+	assert.NotNil(t, err)
+	assert.Nil(t, awsSession)
+	assert.EqualError(t, err, "externalID is required for IAM role")
+}
+
 func TestCreateSessionWithAccessKeys(t *testing.T) {
 	sessionConfig := SessionConfig{
 		Region:      destinationWithAccessKey.Config["region"].(string),