From 662f65c3c83a4df0f7b0f0ce61ed462937b83a2e Mon Sep 17 00:00:00 2001
From: Richard Caunt <richardcaunt@gmail.com>
Date: Sun, 5 Nov 2017 19:24:02 +0000
Subject: [PATCH] Add support for ECS metadata endpoint

---
 src/curl.cpp      | 27 ++++++++++++++++++++++++---
 src/curl.h        |  2 ++
 src/s3fs.cpp      | 10 ++++++++++
 src/s3fs_util.cpp |  4 ++++
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/src/curl.cpp b/src/curl.cpp
index aab2379..65fc9f9 100644
--- a/src/curl.cpp
+++ b/src/curl.cpp
@@ -320,7 +320,9 @@ void CurlHandlerPool::ReturnHandler(CURL* h)
 #define MAX_MULTI_COPY_SOURCE_SIZE  524288000         // 500MB
 
 #define	IAM_EXPIRE_MERGIN           (20 * 60)         // update timing
-#define	IAM_CRED_URL                "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+#define IAM_BASE_URL                "http://169.254.169.254" 
+#define	IAM_CRED_URL                "/latest/meta-data/iam/security-credentials/"
+#define ECS_IAM_ENV_VAR             "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 #define IAMCRED_ACCESSKEYID         "AccessKeyId"
 #define IAMCRED_SECRETACCESSKEY     "SecretAccessKey"
 #define IAMCRED_ACCESSTOKEN         "Token"
@@ -357,6 +359,7 @@ string           S3fsCurl::AWSAccessKeyId;
 string           S3fsCurl::AWSSecretAccessKey;
 string           S3fsCurl::AWSAccessToken;
 time_t           S3fsCurl::AWSAccessTokenExpire= 0;
+bool             S3fsCurl::is_ecs              = false;
 string           S3fsCurl::IAM_role;
 long             S3fsCurl::ssl_verify_hostname = 1;    // default(original code...)
 curltime_t       S3fsCurl::curl_times;
@@ -1133,6 +1136,13 @@ long S3fsCurl::SetSslVerifyHostname(long value)
   return old;
 }
 
+bool S3fsCurl::SetIsECS(bool flag)
+{
+  bool old = S3fsCurl::is_ecs;
+  S3fsCurl::is_ecs = flag;
+  return old;
+}
+
 string S3fsCurl::SetIAMRole(const char* role)
 {
   string old = S3fsCurl::IAM_role;
@@ -2348,7 +2358,13 @@ int S3fsCurl::GetIAMCredentials(void)
   }
 
   // url
-  url             = string(IAM_CRED_URL) + S3fsCurl::IAM_role;
+  if (is_ecs) {
+    url = string(IAM_BASE_URL) + std::getenv(ECS_IAM_ENV_VAR);
+  }
+  else {
+    url = string(IAM_BASE_URL) + string(IAM_CRED_URL) + S3fsCurl::IAM_role;
+  }
+  
   requestHeaders  = NULL;
   responseHeaders.clear();
   bodydata        = new BodyData();
@@ -2385,7 +2401,12 @@ bool S3fsCurl::LoadIAMRoleFromMetaData(void)
   }
 
   // url
-  url             = IAM_CRED_URL;
+  //if (is_ecs) {
+  //  url = string(IAM_BASE_URL) + std::getenv(ECS_IAM_ENV_VAR);
+  //}
+  //else {
+    url = string(IAM_BASE_URL) + string(IAM_CRED_URL);
+  //}
   requestHeaders  = NULL;
   responseHeaders.clear();
   bodydata        = new BodyData();
diff --git a/src/curl.h b/src/curl.h
index be9feb5..f9d35bc 100644
--- a/src/curl.h
+++ b/src/curl.h
@@ -230,6 +230,7 @@ class S3fsCurl
     static std::string      AWSSecretAccessKey;
     static std::string      AWSAccessToken;
     static time_t           AWSAccessTokenExpire;
+    static bool             is_ecs;
     static std::string      IAM_role;
     static long             ssl_verify_hostname;
     static curltime_t       curl_times;
@@ -370,6 +371,7 @@ class S3fsCurl
     static long GetSslVerifyHostname(void) { return S3fsCurl::ssl_verify_hostname; }
     static int SetMaxParallelCount(int value);
     static int GetMaxParallelCount(void) { return S3fsCurl::max_parallel_cnt; }
+    static bool SetIsECS(bool flag);
     static std::string SetIAMRole(const char* role);
     static const char* GetIAMRole(void) { return S3fsCurl::IAM_role.c_str(); }
     static bool SetMultipartSize(off_t size);
diff --git a/src/s3fs.cpp b/src/s3fs.cpp
index e38e699..d2ae893 100644
--- a/src/s3fs.cpp
+++ b/src/s3fs.cpp
@@ -122,6 +122,7 @@ static bool is_s3fs_uid           = false;// default does not set.
 static bool is_s3fs_gid           = false;// default does not set.
 static bool is_s3fs_umask         = false;// default does not set.
 static bool is_remove_cache       = false;
+static bool is_ecs                = false;
 static bool is_use_xattr          = false;
 static bool create_bucket         = false;
 static int64_t singlepart_copy_limit = FIVE_GB;
@@ -4508,7 +4509,16 @@ static int my_fuse_opt_proc(void* data, const char* arg, int key, struct fuse_ar
       passwd_file = strchr(arg, '=') + sizeof(char);
       return 0;
     }
+    if(0 == strcmp(arg, "ecs")){
+      S3fsCurl::SetIsECS(true);
+      is_ecs = true;
+      return 0;
+    }
     if(0 == STR2NCMP(arg, "iam_role")){
+      if (is_ecs) {
+        S3FS_PRN_EXIT("option iam_role cannot be used in conjunction with ecs");
+        return -1;
+      }
       if(0 == strcmp(arg, "iam_role") || 0 == strcmp(arg, "iam_role=auto")){
         // loading IAM role name in s3fs_init(), because we need to wait initializing curl.
         //
diff --git a/src/s3fs_util.cpp b/src/s3fs_util.cpp
index 9dafb6c..92ab38a 100644
--- a/src/s3fs_util.cpp
+++ b/src/s3fs_util.cpp
@@ -1167,6 +1167,10 @@ void show_help (void)
     "   enable_content_md5 (default is disable)\n"
     "      - ensure data integrity during writes with MD5 hash.\n"
     "\n"
+    "   ecs\n"
+    "      - This option instructs s3fs to query the ECS container credential\n"
+    "      metadata address instead of the instance metadata address.\n"
+    "\n"
     "   iam_role (default is no IAM role)\n"
     "      - This option requires the IAM role name or \"auto\". If you specify\n"
     "      \"auto\", s3fs will automatically use the IAM role names that are set\n"