provider/aws: Fail silently in ValidateCredentials for IAM users
This commit is contained in:
parent
f238e254f4
commit
31fab62bfd
|
@ -180,11 +180,21 @@ func (c *Config) ValidateRegion() error {
|
||||||
return fmt.Errorf("Not a valid region: %s", c.Region)
|
return fmt.Errorf("Not a valid region: %s", c.Region)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate credentials early and fail before we do any graph walking
|
// Validate credentials early and fail before we do any graph walking.
|
||||||
|
// In the case of an IAM role/profile with insuffecient privileges, fail
|
||||||
|
// silently
|
||||||
func (c *Config) ValidateCredentials(iamconn *iam.IAM) error {
|
func (c *Config) ValidateCredentials(iamconn *iam.IAM) error {
|
||||||
_, err := iamconn.GetUser(nil)
|
_, err := iamconn.GetUser(nil)
|
||||||
|
|
||||||
if awsErr, ok := err.(awserr.Error); ok {
|
if awsErr, ok := err.(awserr.Error); ok {
|
||||||
|
|
||||||
|
if awsErr.Code() == "AccessDenied" {
|
||||||
|
log.Printf("[WARN] AccessDenied Error with iam.GetUser, assuming IAM profile")
|
||||||
|
// User may be an IAM instance profile, or otherwise IAM role without the
|
||||||
|
// GetUser permissions, so fail silently
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
if awsErr.Code() == "SignatureDoesNotMatch" {
|
if awsErr.Code() == "SignatureDoesNotMatch" {
|
||||||
return fmt.Errorf("Failed authenticating with AWS: please verify credentials")
|
return fmt.Errorf("Failed authenticating with AWS: please verify credentials")
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue