ruby-changes:57543
From: Alexander <ko1@a...>
Date: Thu, 5 Sep 2019 19:02:49 +0900 (JST)
Subject: [ruby-changes:57543] d84b9b6d0a (master): [rubygems/rubygems] Use IAM role to extract security-credentials for EC2 instance
https://git.ruby-lang.org/ruby.git/commit/?id=d84b9b6d0a From d84b9b6d0a938cec9f0c1266702d9c4aecc0423a Mon Sep 17 00:00:00 2001 From: Alexander Pakulov <apakulov@s...> Date: Wed, 21 Aug 2019 15:19:10 -0700 Subject: [rubygems/rubygems] Use IAM role to extract security-credentials for EC2 instance https://github.com/rubygems/rubygems/commit/9a401646e1 diff --git a/lib/rubygems/s3_uri_signer.rb b/lib/rubygems/s3_uri_signer.rb index 4caf071..ff9dde3 100644 --- a/lib/rubygems/s3_uri_signer.rb +++ b/lib/rubygems/s3_uri_signer.rb @@ -150,16 +150,23 @@ class Gem::S3URISigner https://github.com/ruby/ruby/blob/trunk/lib/rubygems/s3_uri_signer.rb#L150 require 'rubygems/request/connection_pools' require 'json' - metadata_uri = URI(EC2_METADATA_CREDENTIALS) - @request_pool ||= create_request_pool(metadata_uri) - request = Gem::Request.new(metadata_uri, Net::HTTP::Get, nil, @request_pool) + iam_info = ec2_metadata_request(EC2_IAM_INFO) + # Expected format: arn:aws:iam::<id>:instance-profile/<role_name> + role_name = iam_info['InstanceProfileArn'].split('/')[1] + ec2_metadata_request(EC2_IAM_SECURITY_CREDENTIALS + role_name) + end + + def ec2_metadata_request(url) + uri = URI(url) + @request_pool ||= create_request_pool(uri) + request = Gem::Request.new(uri, Net::HTTP::Get, nil, @request_pool) response = request.fetch case response when Net::HTTPOK then JSON.parse(response.body) else - raise InstanceProfileError.new("Unable to fetch AWS credentials from #{metadata_uri}: #{response.message} #{response.code}") + raise InstanceProfileError.new("Unable to fetch AWS metadata from #{uri}: #{response.message} #{response.code}") end end @@ -170,6 +177,7 @@ class Gem::S3URISigner https://github.com/ruby/ruby/blob/trunk/lib/rubygems/s3_uri_signer.rb#L177 end BASE64_URI_TRANSLATE = { "+" => "%2B", "/" => "%2F", "=" => "%3D", "\n" => "" }.freeze - EC2_METADATA_CREDENTIALS = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance".freeze + EC2_IAM_INFO = "http://169.254.169.254/latest/meta-data/iam/info".freeze + EC2_IAM_SECURITY_CREDENTIALS = "http://169.254.169.254/latest/meta-data/iam/security-credentials/".freeze end -- cgit v0.10.2 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/