Additionally constructing role without path. (#31)

Nike-Inc · Dec 5, 2017 · 31ee896 · 31ee896
1 parent aae98f7
commit 31ee896
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 15 deletions.
diff --git a/gradle.properties b/gradle.properties
@@ -13,6 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-version=4.1.0
+version=4.2.0
 groupId=com.nike
 artifactId=cerberus-client
diff --git a/src/main/java/com/nike/cerberus/client/auth/aws/InstanceRoleVaultCredentialsProvider.java b/src/main/java/com/nike/cerberus/client/auth/aws/InstanceRoleVaultCredentialsProvider.java
@@ -42,7 +42,7 @@
  * response using KMS. If the assigned role has been granted the appropriate
  * provisioned for usage of Vault, it will succeed and have a token that can be
  * used to interact with Vault.
- *
+ * <p>
  * This class uses the AWS Instance Metadata endpoint to look-up information automatically.
  *
  * @see <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html">AWS Instance Metadata</a>
@@ -152,8 +152,17 @@ protected static Set<String> buildIamRoleArns(String instanceProfileArn, Set<Str
         final String accountId = instanceProfileInfo.accountId;
         final String path = parsePathFromInstanceProfileName(instanceProfileInfo.profileName);
 
+        // There isn't a 100% reliable method for constructing the role ARN from the meta-data endpoint.
+        // So here we try both with and without the path that was used in the instanceProfileArn.
+        // The only reason we don't try and auth with the instanceProfileArn is it isn't a valid ARN type
+        // that can be included in a KMS key policy.
         for (String roleName : securityCredentialsKeySet) {
-            result.add(buildRoleArn(accountId, path, roleName));
+            if (path != null) {
+                // if path was supplied in instanceProfileArn, we'll try using it first
+                // there is no guarantee that the path used in the instanceProfileArn was also used in the roleArn but it is a common pattern
+                result.add(buildRoleArn(accountId, path, roleName));
+            }
+            result.add(buildRoleArn(accountId, null, roleName));
         }
 
         return result;
@@ -184,7 +193,7 @@ protected static InstanceProfileInfo parseInstanceProfileArn(String instanceProf
 
     /**
      * Parse the path out of a instanceProfileName or return null for no path
-     *
+     * <p>
      * e.g. parse "foo/bar" out of "foo/bar/name"
      */
     protected static String parsePathFromInstanceProfileName(String instanceProfileName) {
@@ -204,7 +213,7 @@ protected static String buildRoleArn(String accountId, String path, String roleN
 
     /**
      * If a path is supplied, prepend it to the role name.
-     *
+     * <p>
      * e.g. roleWithPath(null, "foo") returns "foo".
      * e.g. roleWithPath("bar", "foo") returns "bar/foo".
      * e.g. roleWithPath("bar/more", "foo") returns "bar/more/foo".
@@ -221,9 +230,13 @@ protected static String roleWithPath(String path, String role) {
      * Bean for holding Instance Profile parse results
      */
     protected static class InstanceProfileInfo {
-        /** AWS Account ID */
+        /**
+         * AWS Account ID
+         */
         String accountId;
-        /** Name found after "instance-profile/" in the instance profile ARN, includes paths e.g. "foo/bar/name" */
+        /**
+         * Name found after "instance-profile/" in the instance profile ARN, includes paths e.g. "foo/bar/name"
+         */
         String profileName;
     }
 }
diff --git a/...test/java/com/nike/cerberus/client/auth/aws/InstanceRoleVaultCredentialsProviderTest.java b/...test/java/com/nike/cerberus/client/auth/aws/InstanceRoleVaultCredentialsProviderTest.java
@@ -38,6 +38,7 @@
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
 
@@ -155,10 +156,10 @@ public void test_buildIamRoleArns_with_path() {
         Set<String> roles = Sets.newSet("brewmaster-foo-cerberus");
 
         Set<String> results = buildIamRoleArns(instanceProfileArn, roles);
-        assertEquals(1, results.size());
-        String result = results.iterator().next();
-
-        assertEquals("arn:aws:iam::1234567890123:role/brewmaster/foo/brewmaster-foo-cerberus", result);
+        assertEquals(2, results.size());
+        Iterator<String> iterator = results.iterator();
+        assertEquals("arn:aws:iam::1234567890123:role/brewmaster/foo/brewmaster-foo-cerberus", iterator.next());
+        assertEquals("arn:aws:iam::1234567890123:role/brewmaster-foo-cerberus", iterator.next());
     }
 
     @Test
@@ -179,10 +180,7 @@ public void test_buildIamRoleArns_CloudFormation_style_names_with_paths() {
         Set<String> roles = Sets.newSet("foo-cerberus-SDFLKJRWE234");
 
         Set<String> results = buildIamRoleArns(instanceProfileArn, roles);
-        assertEquals(1, results.size());
-        String result = results.iterator().next();
-
-        assertEquals("arn:aws:iam::1234567890123:role/brewmaster/foo/foo-cerberus-SDFLKJRWE234", result);
+        assertEquals(2, results.size());
     }
 
     @Test