Merge pull request #28535 from techhat/fixcreds

Fail gracefully if 169.254* isn't available
2025-04-17 10:10:20 +00:00 · 2015-11-03 15:39:38 -07:00 · 2015-11-03 15:39:38 -07:00 · 7e22e7cf24
commit 7e22e7cf24
parent 9a5208e8aa 8d9224bd09
2 changed files with 22 additions and 14 deletions
--- a/salt/utils/aws.py
+++ b/salt/utils/aws.py
@ -76,21 +76,27 @@ def creds(provider):
                # Current timestamp less than expiration fo cached credentials
                return __AccessKeyId__, __SecretAccessKey__, __Token__
        # We don't have any cached credentials, or they are expired, get them
-        # TODO: Wrap this with a try and handle exceptions gracefully

        # Connections to instance meta-data must fail fast and never be proxied
-        result = requests.get(
-            "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
-            proxies={'http': ''}, timeout=AWS_METADATA_TIMEOUT,
-        )
-        result.raise_for_status()
-        role = result.text
-        # TODO: Wrap this with a try and handle exceptions gracefully
-        result = requests.get(
-            "http://169.254.169.254/latest/meta-data/iam/security-credentials/{0}".format(role),
-            proxies={'http': ''}, timeout=AWS_METADATA_TIMEOUT,
-        )
-        result.raise_for_status()
+        try:
+            result = requests.get(
+                "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
+                proxies={'http': ''}, timeout=AWS_METADATA_TIMEOUT,
+            )
+            result.raise_for_status()
+            role = result.text
+        except (requests.exceptions.HTTPError, requests.exceptions.ConnectTimeout):
+            return provider['id'], provider['key'], ''
+
+        try:
+            result = requests.get(
+                "http://169.254.169.254/latest/meta-data/iam/security-credentials/{0}".format(role),
+                proxies={'http': ''}, timeout=AWS_METADATA_TIMEOUT,
+            )
+            result.raise_for_status()
+        except (requests.exceptions.HTTPError, requests.exceptions.ConnectTimeout):
+            return provider['id'], provider['key'], ''
+
        data = result.json()
        __AccessKeyId__ = data['AccessKeyId']
        __SecretAccessKey__ = data['SecretAccessKey']
--- a/salt/utils/s3.py
+++ b/salt/utils/s3.py
@ -85,8 +85,10 @@ def query(key, keyid, method='GET', params=None, headers=None,
        endpoint = service_url

    # Try grabbing the credentials from the EC2 instance IAM metadata if available
-    if not key or not keyid:
+    if not key:
        key = salt.utils.aws.IROLE_CODE
+
+    if not keyid:
        keyid = salt.utils.aws.IROLE_CODE

    data = ''