From 584ea488bf383ab063b224df877ba786a75a7775 Mon Sep 17 00:00:00 2001 From: "Nathaniel W. Turner" Date: Mon, 23 May 2016 18:09:16 -0700 Subject: [PATCH] Use role name instead of profile name when iam_role=auto When using an instance with an IAM Role, transient credentials can be found in http://169.254.169.254/latest/meta-data/ at iam/security-credentials/role-name and s3fs tries to do this. However, it is using the profile-name where role-name is needed. In many cases the role and profile name are the same, but they are not always. The simplest way to find the role name appears to be to GET http://169.254.169.254/latest/meta-data/iam/security-credentials/ itself, which returns a listing of the role names for which temporary credentials exist. (I think there will probably only be one, but we probably want to split on newlines and take the first one here in case that assumption is not valid). This is the approach the AWS SDK appears to use (based on WireShark analysis). Bug: https://github.com/s3fs-fuse/s3fs-fuse/issues/421 Signed-off-by: Nathaniel W. Turner --- src/curl.cpp | 40 +++++----------------------------------- src/s3fs.cpp | 2 +- 2 files changed, 6 insertions(+), 36 deletions(-) diff --git a/src/curl.cpp b/src/curl.cpp index da91e1f..f911d81 100644 --- a/src/curl.cpp +++ b/src/curl.cpp @@ -315,9 +315,6 @@ void CurlHandlerPool::ReturnHandler(CURL* h) #define IAMCRED_ACCESSTOKEN "Token" #define IAMCRED_EXPIRATION "Expiration" #define IAMCRED_KEYCOUNT 4 -#define IAM_DEFAULT_ROLE_URL "http://169.254.169.254/latest/meta-data/iam/info" -#define IAMDEFROLE_PROFARN "InstanceProfileArn" -#define IAMDEFROLE_PROFARN_PART ":instance-profile/" // [NOTICE] // This symbol is for libcurl under 7.23.0 @@ -1447,40 +1444,13 @@ bool S3fsCurl::ParseIAMRoleFromMetaDataResponse(const char* response, string& ro // [NOTE] // expected following strings. // - // { - // "Code" : "Success", - // "LastUpdated" : "2016-01-01T00:00:00Z", - // "InstanceProfileArn" : "arn:aws:iam::111111111111:instance-profile/myrolename", - // "InstanceProfileId" : "AAAAAAAAAAAAAAAAAAAAA" - // } + // myrolename // istringstream ssrole(response); string oneline; - while(getline(ssrole, oneline, '\n')){ - string::size_type pos; - if(string::npos != (pos = oneline.find(IAMDEFROLE_PROFARN))){ - if(string::npos == (pos = oneline.find(':', pos + strlen(IAMDEFROLE_PROFARN)))){ - continue; - } - if(string::npos == (pos = oneline.find('\"', pos))){ - continue; - } - - // value - oneline = oneline.substr(pos + sizeof(char)); - if(string::npos == (pos = oneline.find('\"'))){ - continue; - } - oneline = oneline.substr(0, pos); - - // role name - if(string::npos == (pos = oneline.find(IAMDEFROLE_PROFARN_PART))){ - continue; - } - rolename = oneline.substr(pos + strlen(IAMDEFROLE_PROFARN_PART)); - - return !rolename.empty(); - } + if (getline(ssrole, oneline, '\n')){ + rolename = oneline; + return !rolename.empty(); } return false; } @@ -2384,7 +2354,7 @@ bool S3fsCurl::LoadIAMRoleFromMetaData(void) } // url - url = IAM_DEFAULT_ROLE_URL; + url = IAM_CRED_URL; requestHeaders = NULL; responseHeaders.clear(); bodydata = new BodyData(); diff --git a/src/s3fs.cpp b/src/s3fs.cpp index 67a2eff..25c3249 100644 --- a/src/s3fs.cpp +++ b/src/s3fs.cpp @@ -3354,7 +3354,7 @@ static void* s3fs_init(struct fuse_conn_info* conn) // check loading IAM role name if(load_iamrole){ - // load IAM role name from http://169.254.169.254/latest/meta-data/iam/info + // load IAM role name from http://169.254.169.254/latest/meta-data/iam/security-credentials // S3fsCurl s3fscurl; if(!s3fscurl.LoadIAMRoleFromMetaData()){