Browse Source

Emulate Boto when using role metadata

Use the behavior established in the botocore python library to inform
how and when instance metadata is fetched in an attempt to acquire valid
AWS credentials.

- Use it as a fallback when no other credentials are provided
- Set the timeout of metadata requests to 1 second
dnsconf
Mal Graty 7 years ago
parent
commit
693627a858
  1. 27
      dnsapi/dns_aws.sh

27
dnsapi/dns_aws.sh

@ -20,12 +20,13 @@ dns_aws_add() {
fulldomain=$1 fulldomain=$1
txtvalue=$2 txtvalue=$2
if [ -n "${AWS_USE_INSTANCE_ROLE:=$(_readaccountconf_mutable AWS_USE_INSTANCE_ROLE)}" ]; then
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
_use_instance_role _use_instance_role
fi fi
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
AWS_ACCESS_KEY_ID="" AWS_ACCESS_KEY_ID=""
AWS_SECRET_ACCESS_KEY="" AWS_SECRET_ACCESS_KEY=""
@ -34,10 +35,8 @@ dns_aws_add() {
return 1 return 1
fi fi
#save for future use
if [ -n "$AWS_USE_INSTANCE_ROLE" ]; then
_saveaccountconf_mutable AWS_USE_INSTANCE_ROLE "$AWS_USE_INSTANCE_ROLE"
else
#save for future use, unless using a role which will be fetched as needed
if [ -z "$_using_instance_role" ]; then
_saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
_saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
fi fi
@ -85,12 +84,13 @@ dns_aws_rm() {
fulldomain=$1 fulldomain=$1
txtvalue=$2 txtvalue=$2
if [ -n "${AWS_USE_INSTANCE_ROLE:=$(_readaccountconf_mutable AWS_USE_INSTANCE_ROLE)}" ]; then
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
_use_instance_role _use_instance_role
fi fi
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
_debug "First detect the root zone" _debug "First detect the root zone"
if ! _get_root "$fulldomain"; then if ! _get_root "$fulldomain"; then
_err "invalid domain" _err "invalid domain"
@ -176,14 +176,14 @@ _get_root() {
} }
_use_instance_role() { _use_instance_role() {
if ! _get "$AWS_METADATA_URL/iam/security-credentials/" true | _head_n 1 | grep -Fq 200; then
if ! _get "$AWS_METADATA_URL/iam/security-credentials/" true 1 | _head_n 1 | grep -Fq 200; then
_err "Unable to fetch IAM role from AWS instance metadata." _err "Unable to fetch IAM role from AWS instance metadata."
return return
fi fi
_aws_role=$(_get "$AWS_METADATA_URL/iam/security-credentials/")
_aws_role=$(_get "$AWS_METADATA_URL/iam/security-credentials/" "" 1)
_debug "_aws_role" "$_aws_role" _debug "_aws_role" "$_aws_role"
_aws_creds="$( _aws_creds="$(
_get "$AWS_METADATA_URL/iam/security-credentials/$_aws_role" \
_get "$AWS_METADATA_URL/iam/security-credentials/$_aws_role" "" 1 \
| _normalizeJson \ | _normalizeJson \
| tr '{,}' '\n' \ | tr '{,}' '\n' \
| while read -r _line; do | while read -r _line; do
@ -201,6 +201,7 @@ _use_instance_role() {
)" )"
_secure_debug "_aws_creds" "$_aws_creds" _secure_debug "_aws_creds" "$_aws_creds"
eval "$_aws_creds" eval "$_aws_creds"
_using_instance_role=true
} }
#method uri qstr data #method uri qstr data

Loading…
Cancel
Save