Merge pull request #26378 from stanislavb/2015.5

Fix EC2 credentials from IAM roles for s3fs and s3 ext_pillar in 2015.5
2025-04-17 10:10:20 +00:00 · 2015-08-18 08:01:53 -06:00 · 2015-08-18 08:01:53 -06:00 · 952da7abaf
commit 952da7abaf
parent 09e96dce39 39ce3127cd
3 changed files with 13 additions and 8 deletions
--- a/salt/pillar/s3.py
+++ b/salt/pillar/s3.py
@ -21,10 +21,11 @@ options
 The ``bucket`` parameter specifies the target S3 bucket. It is required.

 The ``keyid`` parameter specifies the key id to use when access the S3 bucket.
-It is required.
+If it is not provided, an attempt to fetch it from EC2 instance meta-data will
+be made.

-The ``key`` parameter specifies the key to use when access the S3 bucket. It
-is required.
+The ``key`` parameter specifies the key to use when access the S3 bucket. If it
+is not provided, an attempt to fetch it from EC2 instance meta-data will be made.

 The ``multiple_env`` defaults to False. It specifies whether the pillar should
 interpret top level folders as pillar environments (see mode section below).
@ -109,8 +110,8 @@ class S3Credentials(object):
 def ext_pillar(minion_id,
               pillar,  # pylint: disable=W0613
               bucket,
-               key,
-               keyid,
+               key=None,
+               keyid=None,
               verify_ssl=True,
               location=None,
               multiple_env=False,
--- a/salt/utils/aws.py
+++ b/salt/utils/aws.py
@ -169,8 +169,13 @@ def sig4(method, endpoint, params, prov_dict,
        endpoint,
        amzdate,
    )
+
    signed_headers = 'host;x-amz-date'

+    if token != '':
+        canonical_headers += 'x-amz-security-token:{0}\n'.format(token)
+        signed_headers += ';x-amz-security-token'
+
    algorithm = 'AWS4-HMAC-SHA256'

    # Create payload hash (hash of the request body content). For GET
--- a/salt/utils/s3.py
+++ b/salt/utils/s3.py
@ -88,9 +88,8 @@ def query(key, keyid, method='GET', params=None, headers=None,

    # Try grabbing the credentials from the EC2 instance IAM metadata if available
    if not key or not keyid:
-        iam_creds = iam.get_iam_metadata()
-        key = iam_creds['secret_key']
-        keyid = iam_creds['access_key']
+        key = salt.utils.aws.IROLE_CODE
+        keyid = salt.utils.aws.IROLE_CODE

    if not location:
        location = iam.get_iam_region()