From 6fed5eb8f0892a2f9c426185b2874da665c07ffc Mon Sep 17 00:00:00 2001
From: Radek Simko <radek.simko@gmail.com>
Date: Mon, 20 Jun 2016 23:14:07 +0100
Subject: [PATCH] aws: Use new STS endpoint to validate creds (#6536)

---
 builtin/providers/aws/config.go | 22 +++-------------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/builtin/providers/aws/config.go b/builtin/providers/aws/config.go
index 987c0dd26..b4430fb4e 100644
--- a/builtin/providers/aws/config.go
+++ b/builtin/providers/aws/config.go
@@ -182,7 +182,7 @@ func (c *Config) Client() (interface{}, error) {
 		log.Println("[INFO] Initializing STS connection")
 		client.stsconn = sts.New(sess)
 
-		err = c.ValidateCredentials(client.iamconn)
+		err = c.ValidateCredentials(client.stsconn)
 		if err != nil {
 			errs = append(errs, err)
 			return nil, &multierror.Error{Errors: errs}
@@ -336,24 +336,8 @@ func (c *Config) ValidateRegion() error {
 }
 
 // Validate credentials early and fail before we do any graph walking.
-// In the case of an IAM role/profile with insuffecient privileges, fail
-// silently
-func (c *Config) ValidateCredentials(iamconn *iam.IAM) error {
-	_, err := iamconn.GetUser(nil)
-
-	if awsErr, ok := err.(awserr.Error); ok {
-		if awsErr.Code() == "AccessDenied" || awsErr.Code() == "ValidationError" {
-			log.Printf("[WARN] AccessDenied Error with iam.GetUser, assuming IAM role")
-			// User may be an IAM instance profile, or otherwise IAM role without the
-			// GetUser permissions, so fail silently
-			return nil
-		}
-
-		if awsErr.Code() == "SignatureDoesNotMatch" {
-			return fmt.Errorf("Failed authenticating with AWS: please verify credentials")
-		}
-	}
-
+func (c *Config) ValidateCredentials(stsconn *sts.STS) error {
+	_, err := stsconn.GetCallerIdentity(&sts.GetCallerIdentityInput{})
 	return err
 }