Skip to content

Commit

Permalink
fix: Fix credentials validation in EC2 environment (#6977)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pauloprestes @medikoo
pauloprestes authored and medikoo committed Dec 9, 2019
1 parent be8e64c commit f8ee027
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 15 deletions.
20 changes: 9 additions & 11 deletions lib/plugins/aws/lib/validate.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,27 +35,25 @@ module.exports = {
!process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI
) {
// first check if the EC2 Metadata Service has creds before throwing error
const metadataService = new this.provider.sdk.MetadataService({
httpOptions: { timeout: 100, connectTimeout: 100 }, // .1 second timeout
const ec2Credentials = new this.provider.sdk.EC2MetadataCredentials({
httpOptions: { timeout: 5000 }, // 5 second timeout
maxRetries: 0, // retry 0 times
});
return new BbPromise((resolve, reject) =>
metadataService.request('/', (err, data) => {
return err ? reject(err) : resolve(data);
})
)
.catch(() => null)
.then(identity => {
if (!identity) {
ec2Credentials.load(err => {
if (err) {
const message = [
'AWS provider credentials not found.',
' Learn how to set up AWS provider credentials',
` in our docs here: <${chalk.green('http://slss.io/aws-creds-setup')}>.`,
].join('');
userStats.track('user_awsCredentialsNotFound');
throw new this.serverless.classes.Error(message);
reject(new this.serverless.classes.Error(message));
} else {
resolve({});
}
});
})
);
}
return BbPromise.resolve();
},
Expand Down
26 changes: 22 additions & 4 deletions lib/plugins/aws/lib/validate.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,13 @@ chai.use(require('chai-as-promised'));

const expect = chai.expect;

class MetadataService {
request(error) {
error('error');
let loadCredentialsMock = callback => {
callback('error');
};

class EC2MetadataCredentials {
load(callback) {
loadCredentialsMock(callback);
}
}

Expand All @@ -28,7 +32,7 @@ describe('#validate', () => {
provider = new AwsProvider(serverless, awsPlugin.options);
provider.cachedCredentials = { accessKeyId: 'foo', secretAccessKey: 'bar' };
awsPlugin.provider = provider;
awsPlugin.provider.sdk = { MetadataService };
awsPlugin.provider.sdk = { EC2MetadataCredentials };
awsPlugin.serverless = serverless;
awsPlugin.serverless.setProvider('aws', provider);

Expand Down Expand Up @@ -97,6 +101,20 @@ describe('#validate', () => {
});
});

it('should check the metadata service and pass if return credentials', () => {
awsPlugin.options.region = false;
awsPlugin.serverless.service.provider = {
region: 'some-region',
};
provider.cachedCredentials = {};

loadCredentialsMock = callback => callback(null);

return expect(awsPlugin.validate()).to.be.fulfilled.then(() => {
expect(awsPlugin.options.region).to.equal('some-region');
});
});

it('should not check the metadata service if not using a command that needs creds', () => {
awsPlugin.options.region = false;
awsPlugin.serverless.service.provider = {
Expand Down

0 comments on commit f8ee027

Please sign in to comment.