diff options
author | KC Braunschweig <kcb@fb.com> | 2020-10-07 13:56:41 -0700 |
---|---|---|
committer | KC Braunschweig <kcb@fb.com> | 2020-10-08 16:58:25 -0700 |
commit | 0c11a79703104233a2dee6b4e53926c2dd8cd198 (patch) | |
tree | 08608ac85594119f9606653c68556d2947dd2105 | |
parent | 6be2a1af0596fa03dfa0807998107a95218a10b3 (diff) | |
download | ohai-0c11a79703104233a2dee6b4e53926c2dd8cd198.tar.gz |
Include IAM role and info in ec2 data (issue #1524)
Signed-off-by: KC Braunschweig <kcb@fb.com>
Co-authored-by: pete higgins <pete@peterhiggins.org>
-rw-r--r-- | lib/ohai/plugins/ec2.rb | 16 | ||||
-rw-r--r-- | spec/unit/plugins/ec2_spec.rb | 11 |
2 files changed, 19 insertions, 8 deletions
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb index 8d4fdb63..7402dd5a 100644 --- a/lib/ohai/plugins/ec2.rb +++ b/lib/ohai/plugins/ec2.rb @@ -122,11 +122,17 @@ Ohai.plugin(:EC2) do fetch_metadata.each do |k, v| # fetch_metadata returns IAM security credentials, including the IAM user's # secret access key. We'd rather not have ohai send this information - # to the server. - # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories - next if k == "iam" && !hint?("iam") - - ec2[k] = v + # to the server. If the instance is associated with an IAM role we grab + # only the "info" key and the IAM role name. + # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html + if k == "iam" && !hint?("iam") + ec2[:iam] = v.select { |key, value| key == "info" } + if v["security-credentials"] && v["security-credentials"].keys.length == 1 + ec2[:iam]["role_name"] = v["security-credentials"].keys[0] + end + else + ec2[k] = v + end end ec2[:userdata] = fetch_userdata ec2[:account_id] = fetch_dynamic_data["accountId"] diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb index d3e6e3d6..32e71238 100644 --- a/spec/unit/plugins/ec2_spec.rb +++ b/spec/unit/plugins/ec2_spec.rb @@ -240,13 +240,16 @@ describe Ohai::System, "plugin ec2" do allow(plugin).to receive(:hint?).with("iam").and_return(false) end - it "parses ec2 iam/ directory and NOT collect iam/security-credentials/" do + it "parses ec2 iam/ directory and collect info and role_name and NOT collect iam/security-credentials/" do expect(@http_client).to receive(:get) .with("/2012-01-12/meta-data/") .and_return(double("Net::HTTP Response", body: "iam/", code: "200")) expect(@http_client).to receive(:get) .with("/2012-01-12/meta-data/iam/") - .and_return(double("Net::HTTP Response", body: "security-credentials/", code: "200")) + .and_return(double("Net::HTTP Response", body: "info\nsecurity-credentials/", code: "200")) + expect(@http_client).to receive(:get) + .with("/2012-01-12/meta-data/iam/info") + .and_return(double("Net::HTTP Response", body: "{\n \"Code\" : \"Success\",\n \"LastUpdated\" : \"2020-10-08T20:47:08Z\",\n \"InstanceProfileArn\" : \"arn:aws:iam::111111111111:instance-profile/my_profile\",\n \"InstanceProfileId\" : \"AAAAAAAAAAAAAAAAAAAAA\"\n}", code: "200")) expect(@http_client).to receive(:get) .with("/2012-01-12/meta-data/iam/security-credentials/") .and_return(double("Net::HTTP Response", body: "MyRole", code: "200")) @@ -263,7 +266,9 @@ describe Ohai::System, "plugin ec2" do plugin.run expect(plugin[:ec2]).not_to be_nil - expect(plugin[:ec2]["iam"]).to be_nil + expect(plugin[:ec2]["iam"]["info"]["InstanceProfileId"]).to eql "AAAAAAAAAAAAAAAAAAAAA" + expect(plugin[:ec2]["iam"]["security-credentials"]).to be_nil + expect(plugin[:ec2]["iam"]["role_name"]).to eql "MyRole" end end |