ignore empty static credentials (minio#27)

This commit fixes a bug affecting the AWS SecretsManager key store. When no access key, secret key or session token is provided the credentials passed to the AWS SDK should be `nil`. This causes the AWS SDK to look for credentials in AWS env. variables, or EC2 metadata. I've verified that this commit fixes the bug reported in minio#26 by creating an AWS EC2 instance and specifying no credentials in the config file. If the correct role (e.g. SecretsManager Read/Write) is attached to the instance specifying no credentials causes the kes server (via AWS SDK) to fetch the temp. credentials from the EC2 metadata. Fixes minio#26
kinjelom · Mar 5, 2020 · 4c173a8 · 4c173a8
1 parent 7aa62ff
commit 4c173a8
Showing 1 changed file with 21 additions and 7 deletions.
diff --git a/internal/aws/secrets-manager.go b/internal/aws/secrets-manager.go
@@ -201,15 +201,29 @@ func (store *SecretsManager) Delete(name string) error {
 // Authenticate tries to establish a connection to
 // the AWS Secrets Manager using the login credentials.
 func (store *SecretsManager) Authenticate() error {
+	credentials := credentials.NewStaticCredentials(
+		store.Login.AccessKey,
+		store.Login.SecretKey,
+		store.Login.SessionToken,
+	)
+	if store.Login.AccessKey == "" && store.Login.SecretKey == "" && store.Login.SessionToken == "" {
+		// If all login credentials (access key, secret key and session token) are empty
+		// we pass no (not empty) credentials to the AWS SDK. The SDK will try to fetch
+		// the credentials from:
+		//  - Environment Variables
+		//  - Shared Credentials file
+		//  - EC2 Instance Metadata
+		// In particular, when running a kes server on an EC2 instance, the SDK will
+		// automatically fetch the temp. credentials from the EC2 metadata service.
+		// See: AWS IAM roles for EC2 instances.
+		credentials = nil
+	}
+
 	session, err := session.NewSessionWithOptions(session.Options{
 		Config: aws.Config{
-			Endpoint: aws.String(store.Addr),
-			Region:   aws.String(store.Region),
-			Credentials: credentials.NewStaticCredentials(
-				store.Login.AccessKey,
-				store.Login.SecretKey,
-				store.Login.SessionToken,
-			),
+			Endpoint:    aws.String(store.Addr),
+			Region:      aws.String(store.Region),
+			Credentials: credentials,
 		},
 		SharedConfigState: session.SharedConfigDisable,
 	})