diff options
author | Tim Smith <tsmith@chef.io> | 2020-10-14 11:39:52 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-14 11:39:52 -0700 |
commit | 75d4610c20b8dde0ab3d2a9a65e8cc6a2c557225 (patch) | |
tree | cef820c45c7d7b4a017a85ae98a8abd49b6ebe75 | |
parent | b6230ade96386ba51a89b76b2e9220e70548a61a (diff) | |
parent | 0c11a79703104233a2dee6b4e53926c2dd8cd198 (diff) | |
download | ohai-75d4610c20b8dde0ab3d2a9a65e8cc6a2c557225.tar.gz |
Merge pull request #1525 from kcbraunschweig/issue1524
Include IAM role in ec2 data (issue #1524)
-rw-r--r-- | lib/ohai/plugins/ec2.rb | 16 | ||||
-rw-r--r-- | spec/unit/plugins/ec2_spec.rb | 11 |
2 files changed, 19 insertions, 8 deletions
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb index 073ff780..abe23455 100644 --- a/lib/ohai/plugins/ec2.rb +++ b/lib/ohai/plugins/ec2.rb @@ -122,11 +122,17 @@ Ohai.plugin(:EC2) do fetch_metadata.each do |k, v| # fetch_metadata returns IAM security credentials, including the IAM user's # secret access key. We'd rather not have ohai send this information - # to the server. - # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories - next if k == "iam" && !hint?("iam") - - ec2[k] = v + # to the server. If the instance is associated with an IAM role we grab + # only the "info" key and the IAM role name. + # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html + if k == "iam" && !hint?("iam") + ec2[:iam] = v.select { |key, value| key == "info" } + if v["security-credentials"] && v["security-credentials"].keys.length == 1 + ec2[:iam]["role_name"] = v["security-credentials"].keys[0] + end + else + ec2[k] = v + end end ec2[:userdata] = fetch_userdata ec2[:account_id] = fetch_dynamic_data["accountId"] diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb index e1641b89..c205953c 100644 --- a/spec/unit/plugins/ec2_spec.rb +++ b/spec/unit/plugins/ec2_spec.rb @@ -240,13 +240,16 @@ describe Ohai::System, "plugin ec2" do allow(plugin).to receive(:hint?).with("iam").and_return(false) end - it "parses ec2 iam/ directory and NOT collect iam/security-credentials/" do + it "parses ec2 iam/ directory and collect info and role_name and NOT collect iam/security-credentials/" do expect(@http_client).to receive(:get) .with("/2012-01-12/meta-data/") .and_return(double("Net::HTTP Response", body: "iam/", code: "200")) expect(@http_client).to receive(:get) .with("/2012-01-12/meta-data/iam/") - .and_return(double("Net::HTTP Response", body: "security-credentials/", code: "200")) + .and_return(double("Net::HTTP Response", body: "info\nsecurity-credentials/", code: "200")) + expect(@http_client).to receive(:get) + .with("/2012-01-12/meta-data/iam/info") + .and_return(double("Net::HTTP Response", body: "{\n \"Code\" : \"Success\",\n \"LastUpdated\" : \"2020-10-08T20:47:08Z\",\n \"InstanceProfileArn\" : \"arn:aws:iam::111111111111:instance-profile/my_profile\",\n \"InstanceProfileId\" : \"AAAAAAAAAAAAAAAAAAAAA\"\n}", code: "200")) expect(@http_client).to receive(:get) .with("/2012-01-12/meta-data/iam/security-credentials/") .and_return(double("Net::HTTP Response", body: "MyRole", code: "200")) @@ -263,7 +266,9 @@ describe Ohai::System, "plugin ec2" do plugin.run expect(plugin[:ec2]).not_to be_nil - expect(plugin[:ec2]["iam"]).to be_nil + expect(plugin[:ec2]["iam"]["info"]["InstanceProfileId"]).to eql "AAAAAAAAAAAAAAAAAAAAA" + expect(plugin[:ec2]["iam"]["security-credentials"]).to be_nil + expect(plugin[:ec2]["iam"]["role_name"]).to eql "MyRole" end end |