Make the instance metadata fetcher self-contained

This is to provide a clean path to future extension work such as adding
a _use_container_role function to offer similar support for ECS
containers.

The $_using_role flag has also been made generic so that future role
providers can also make use of it.
This commit is contained in:
Mal Graty 2018-02-20 12:40:24 +00:00
parent 693627a858
commit 759f4f2c62

View File

@ -9,7 +9,6 @@
AWS_HOST="route53.amazonaws.com" AWS_HOST="route53.amazonaws.com"
AWS_URL="https://$AWS_HOST" AWS_URL="https://$AWS_HOST"
AWS_METADATA_URL="http://169.254.169.254/latest/meta-data"
AWS_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API" AWS_WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API"
@ -36,7 +35,7 @@ dns_aws_add() {
fi fi
#save for future use, unless using a role which will be fetched as needed #save for future use, unless using a role which will be fetched as needed
if [ -z "$_using_instance_role" ]; then if [ -z "$_using_role" ]; then
_saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
_saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
fi fi
@ -176,14 +175,16 @@ _get_root() {
} }
_use_instance_role() { _use_instance_role() {
if ! _get "$AWS_METADATA_URL/iam/security-credentials/" true 1 | _head_n 1 | grep -Fq 200; then _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
_debug "_url" "$_url"
if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
_err "Unable to fetch IAM role from AWS instance metadata." _err "Unable to fetch IAM role from AWS instance metadata."
return return
fi fi
_aws_role=$(_get "$AWS_METADATA_URL/iam/security-credentials/" "" 1) _aws_role=$(_get "$_url" "" 1)
_debug "_aws_role" "$_aws_role" _debug "_aws_role" "$_aws_role"
_aws_creds="$( _aws_creds="$(
_get "$AWS_METADATA_URL/iam/security-credentials/$_aws_role" "" 1 \ _get "$_url$_aws_role" "" 1 \
| _normalizeJson \ | _normalizeJson \
| tr '{,}' '\n' \ | tr '{,}' '\n' \
| while read -r _line; do | while read -r _line; do
@ -201,7 +202,7 @@ _use_instance_role() {
)" )"
_secure_debug "_aws_creds" "$_aws_creds" _secure_debug "_aws_creds" "$_aws_creds"
eval "$_aws_creds" eval "$_aws_creds"
_using_instance_role=true _using_role=true
} }
#method uri qstr data #method uri qstr data