fixup! Implement AWS IMDSv2 support

2024-11-18 02:05:13 +00:00 · 2020-10-30 09:59:55 -07:00 · 2020-10-30 09:59:55 -07:00 · d96a08d4ad
commit d96a08d4ad
parent f2f930300a
4 changed files with 34 additions and 28 deletions
--- a/doc/man/s3fs.1
+++ b/doc/man/s3fs.1
@ -255,6 +255,12 @@ This option instructs s3fs to query the ECS container credential metadata addres
 \fB\-o\fR iam_role (default is no IAM role)
 This option requires the IAM role name or "auto". If you specify "auto", s3fs will automatically use the IAM role names that are set to an instance. If you specify this option without any argument, it is the same as that you have specified the "auto".
 .TP
+\fB\-o\fR imdsv1only (default is to use IMDSv2 with fallback to v1)
+AWS instance metadata service, used with IAM role authentication,
+supports the use of an API token.  If you're using an IAM role in an
+environment that does not support IMDSv2, setting this flag will skip
+retrieval and usage of the API token when retrieving IAM credentials.
+
 \fB\-o\fR ibm_iam_auth (default is not using IBM IAM authentication)
 This option instructs s3fs to use IBM IAM authentication. In this mode, the AWSAccessKey and AWSSecretKey will be used as IBM's Service-Instance-ID and APIKey, respectively.
 .TP
--- a/src/curl.cpp
+++ b/src/curl.cpp
@ -1093,8 +1093,8 @@ std::string S3fsCurl::SetIAMExpiryField(const char* expiry_field)

 bool S3fsCurl::SetIMDSVersion(int version)
 {
-	S3fsCurl::IAM_api_version = version;
-	return true;
+    S3fsCurl::IAM_api_version = version;
+    return true;
 }

 bool S3fsCurl::SetMultipartSize(off_t size)
@ -1672,7 +1672,7 @@ bool S3fsCurl::SetIAMv2APIToken(const char* response)
 {
    S3FS_PRN_INFO3("Setting AWS IMDSv2 API token to %s", response);
    S3fsCurl::IAMv2_api_token = std::string(response);
-	return true;
+    return true;
 }

 bool S3fsCurl::SetIAMCredentials(const char* response)
@ -2756,23 +2756,23 @@ int S3fsCurl::GetIAMCredentials()
        }
        url = std::string(S3fsCurl::IAM_cred_url) + env;
    }else{
-		if(S3fsCurl::IAM_api_version > 1){
-			int result = GetIAMv2ApiToken();
-			if(-ENOENT == result){
-				// If we get a 404 back when requesting the token service,
-				// then it's highly likely we're running in an environment
-				// that doesn't support the AWS IMDSv2 API, so we'll skip
-				// the token retrieval in the future.
-				SetIMDSVersion(1);
-			}else if(result != 0){
-				// If we get an unexpected error when retrieving the API
-				// token, log it but continue.  Requirement for including
-				// an API token with the metadata request may or may not
-				// be required, so we should not abort here.
-				S3FS_PRN_ERR("AWS IMDSv2 token retrieval failed: %d", result);
-			}
-		}
-
+        if(S3fsCurl::IAM_api_version > 1){
+            int result = GetIAMv2ApiToken();
+            if(-ENOENT == result){
+                // If we get a 404 back when requesting the token service,
+                // then it's highly likely we're running in an environment
+                // that doesn't support the AWS IMDSv2 API, so we'll skip
+                // the token retrieval in the future.
+                SetIMDSVersion(1);
+            }else if(result != 0){
+                // If we get an unexpected error when retrieving the API
+                // token, log it but continue.  Requirement for including
+                // an API token with the metadata request may or may not
+                // be required, so we should not abort here.
+                S3FS_PRN_ERR("AWS IMDSv2 token retrieval failed: %d", result);
+            }
+        }
+        
        url = std::string(S3fsCurl::IAM_cred_url) + S3fsCurl::IAM_role;
    }

--- a/src/curl.h
+++ b/src/curl.h
@ -356,7 +356,7 @@ class S3fsCurl
        static void InitUserAgent();
        static bool SetRequesterPays(bool flag) { bool old_flag = S3fsCurl::requester_pays; S3fsCurl::requester_pays = flag; return old_flag; }
        static bool IsRequesterPays() { return S3fsCurl::requester_pays; }
-		static bool SetIMDSVersion(int version);
+        static bool SetIMDSVersion(int version);

        // methods
        bool CreateCurlHandle(bool only_pool = false, bool remake = false);
--- a/src/s3fs_help.cpp
+++ b/src/s3fs_help.cpp
@ -313,13 +313,13 @@ static const char help_string[] =
    "      \"auto\", s3fs will automatically use the IAM role names that are set\n"
    "      to an instance. If you specify this option without any argument, it\n"
    "      is the same as that you have specified the \"auto\".\n"
-	"\n"
-	"   imdsv1only (default is to use IMDSv2)\n"
-	"      - AWS instance metadata service, used IAM role authentication\n"
-	"      supports the use of an API token.  If you're using an IAM role\n"
-	"      in an environment that does not support IMDSv2, setting this flag\n"
-	"      will skip retrieval and usage of the API token when retrieving\n"
-	"      IAM credentials.\n"
+    "\n"
+    "   imdsv1only (default is to use IMDSv2 with fallback to v1)\n"
+    "      - AWS instance metadata service, used with IAM role authentication,\n"
+    "      supports the use of an API token.  If you're using an IAM role\n"
+    "      in an environment that does not support IMDSv2, setting this flag\n"
+    "      will skip retrieval and usage of the API token when retrieving\n"
+    "      IAM credentials.\n"
    "\n"
    "   ibm_iam_auth (default is not using IBM IAM authentication)\n"
    "      - This option instructs s3fs to use IBM IAM authentication.\n"