[arvados] updated: 2.7.0-6570-ge1e4cf1e60
git repository hosting
git at public.arvados.org
Wed May 15 14:16:08 UTC 2024
Summary of changes:
lib/cloud/ec2/ec2.go | 40 ++++++++++++++++++++++++----------------
1 file changed, 24 insertions(+), 16 deletions(-)
via e1e4cf1e604f0d2bbf4f959123edbf0b9d3474df (commit)
from 03c62749d21315d1a2020ca663646cff185b63c3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit e1e4cf1e604f0d2bbf4f959123edbf0b9d3474df
Author: Tom Clegg <tom at curii.com>
Date: Tue May 14 11:15:30 2024 -0400
21705: Pass static credentials explicitly instead of using env vars.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
diff --git a/lib/cloud/ec2/ec2.go b/lib/cloud/ec2/ec2.go
index 5eb1afd3b5..bbc898ab58 100644
--- a/lib/cloud/ec2/ec2.go
+++ b/lib/cloud/ec2/ec2.go
@@ -15,7 +15,6 @@ import (
"errors"
"fmt"
"math/big"
- "os"
"regexp"
"strconv"
"strings"
@@ -27,7 +26,8 @@ import (
"git.arvados.org/arvados.git/sdk/go/arvados"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/aws/retry"
- awsconfig "github.com/aws/aws-sdk-go-v2/config"
+ config "github.com/aws/aws-sdk-go-v2/config"
+ "github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/aws/smithy-go"
@@ -120,27 +120,35 @@ type ec2InstanceSet struct {
mInstanceStarts *prometheus.CounterVec
}
-func newEC2InstanceSet(config json.RawMessage, instanceSetID cloud.InstanceSetID, _ cloud.SharedResourceTags, logger logrus.FieldLogger, reg *prometheus.Registry) (prv cloud.InstanceSet, err error) {
+func newEC2InstanceSet(confRaw json.RawMessage, instanceSetID cloud.InstanceSetID, _ cloud.SharedResourceTags, logger logrus.FieldLogger, reg *prometheus.Registry) (prv cloud.InstanceSet, err error) {
instanceSet := &ec2InstanceSet{
instanceSetID: instanceSetID,
logger: logger,
}
- err = json.Unmarshal(config, &instanceSet.ec2config)
+ err = json.Unmarshal(confRaw, &instanceSet.ec2config)
if err != nil {
return nil, err
}
-
- if len(instanceSet.ec2config.AccessKeyID)+len(instanceSet.ec2config.SecretAccessKey) > 0 {
- // AWS SDK will use credentials in environment vars if
- // present.
- os.Setenv("AWS_ACCESS_KEY_ID", instanceSet.ec2config.AccessKeyID)
- os.Setenv("AWS_SECRET_ACCESS_KEY", instanceSet.ec2config.SecretAccessKey)
- } else {
- os.Unsetenv("AWS_ACCESS_KEY_ID")
- os.Unsetenv("AWS_SECRET_ACCESS_KEY")
- }
- awsConfig, err := awsconfig.LoadDefaultConfig(context.TODO(),
- awsconfig.WithRegion(instanceSet.ec2config.Region))
+ awsConfig, err := config.LoadDefaultConfig(context.TODO(),
+ config.WithRegion(instanceSet.ec2config.Region),
+ config.WithCredentialsCacheOptions(func(o *aws.CredentialsCacheOptions) {
+ o.ExpiryWindow = 5 * time.Minute
+ }),
+ func(o *config.LoadOptions) error {
+ if instanceSet.ec2config.AccessKeyID == "" && instanceSet.ec2config.SecretAccessKey == "" {
+ // Use default SDK behavior (IAM role
+ // via IMDSv2)
+ return nil
+ }
+ o.Credentials = credentials.StaticCredentialsProvider{
+ Value: aws.Credentials{
+ AccessKeyID: instanceSet.ec2config.AccessKeyID,
+ SecretAccessKey: instanceSet.ec2config.SecretAccessKey,
+ Source: "Arvados configuration",
+ },
+ }
+ return nil
+ })
if err != nil {
return nil, err
}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list