1 files changed, 58 insertions, 168 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
index be4b5f0..3a28da5 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
@@ -8,19 +8,17 @@ import (
        "io/ioutil"
        "net/http"
        "os"
+        "time"
        "github.com/aws/aws-sdk-go/aws"
        "github.com/aws/aws-sdk-go/aws/awserr"
        "github.com/aws/aws-sdk-go/aws/client"
        "github.com/aws/aws-sdk-go/aws/corehandlers"
        "github.com/aws/aws-sdk-go/aws/credentials"
-        "github.com/aws/aws-sdk-go/aws/credentials/processcreds"
-        "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
        "github.com/aws/aws-sdk-go/aws/csm"
        "github.com/aws/aws-sdk-go/aws/defaults"
        "github.com/aws/aws-sdk-go/aws/endpoints"
        "github.com/aws/aws-sdk-go/aws/request"
-        "github.com/aws/aws-sdk-go/internal/shareddefaults"
 )
 const (
@@ -107,7 +105,15 @@ func New(cfgs ...*aws.Config) *Session {
        s := deprecatedNewSession(cfgs...)
        if envCfg.CSMEnabled {
-                enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger)
+                err := enableCSM(&s.Handlers, envCfg.CSMClientID,
+                        envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger)
+                if err != nil {
+                        err = fmt.Errorf("failed to enable CSM, %v", err)
+                        s.Config.Logger.Log("ERROR:", err.Error())
+                        s.Handlers.Validate.PushBack(func(r *request.Request) {
+                                r.Error = err
+                        })
+                }
        }
        return s
@@ -210,6 +216,12 @@ type Options struct {
        // the config enables assume role wit MFA via the mfa_serial field.
        AssumeRoleTokenProvider func() (string, error)
+        // When the SDK's shared config is configured to assume a role this option
+        // may be provided to set the expiry duration of the STS credentials.
+        // Defaults to 15 minutes if not set as documented in the
+        // stscreds.AssumeRoleProvider.
+        AssumeRoleDuration time.Duration
        // Reader for a custom Credentials Authority (CA) bundle in PEM format that
        // the SDK will use instead of the default system's root CA bundle. Use this
        // only if you want to replace the CA bundle the SDK uses for TLS requests.
@@ -224,6 +236,12 @@ type Options struct {
        // to also enable this feature. CustomCABundle session option field has priority
        // over the AWS_CA_BUNDLE environment variable, and will be used if both are set.
        CustomCABundle io.Reader
+        // The handlers that the session and all API clients will be created with.
+        // This must be a complete set of handlers. Use the defaults.Handlers()
+        // function to initialize this value before changing the handlers to be
+        // used by the SDK.
+        Handlers request.Handlers
 }
 // NewSessionWithOptions returns a new Session created from SDK defaults, config files,
@@ -329,27 +347,36 @@ func deprecatedNewSession(cfgs ...*aws.Config) *Session {
        return s
 }
-func enableCSM(handlers *request.Handlers, clientID string, port string, logger aws.Logger) {
+func enableCSM(handlers *request.Handlers,
-        logger.Log("Enabling CSM")
+        clientID, host, port string,
-        if len(port) == 0 {
+        logger aws.Logger,
-                port = csm.DefaultPort
+) error {
+        if logger != nil {
+                logger.Log("Enabling CSM")
        }
-        r, err := csm.Start(clientID, "127.0.0.1:"+port)
+        r, err := csm.Start(clientID, csm.AddressWithDefaults(host, port))
        if err != nil {
-                return
+                return err
        }
        r.InjectHandlers(handlers)
+        return nil
 }
 func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, error) {
        cfg := defaults.Config()
-        handlers := defaults.Handlers()
+        handlers := opts.Handlers
+        if handlers.IsEmpty() {
+                handlers = defaults.Handlers()
+        }
        // Get a merged version of the user provided config to determine if
        // credentials were.
        userCfg := &aws.Config{}
        userCfg.MergeIn(cfgs...)
+        cfg.MergeIn(userCfg)
        // Ordered config files will be loaded in with later files overwriting
        // previous config file values.
@@ -366,9 +393,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session,
        }
        // Load additional config from file(s)
-        sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles)
+        sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles, envCfg.EnableSharedConfig)
        if err != nil {
-                return nil, err
+                if _, ok := err.(SharedConfigProfileNotExistsError); !ok {
+                        return nil, err
+                }
        }
        if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil {
@@ -382,7 +411,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session,
        initHandlers(s)
        if envCfg.CSMEnabled {
-                enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger)
+                err := enableCSM(&s.Handlers, envCfg.CSMClientID,
+                        envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger)
+                if err != nil {
+                        return nil, err
+                }
        }
        // Setup HTTP client with custom cert bundle if enabled
@@ -443,9 +476,11 @@ func loadCertPool(r io.Reader) (*x509.CertPool, error) {
        return p, nil
 }
-func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig, handlers request.Handlers, sessOpts Options) error {
+func mergeConfigSrcs(cfg, userCfg *aws.Config,
-        // Merge in user provided configuration
+        envCfg envConfig, sharedCfg sharedConfig,
-        cfg.MergeIn(userCfg)
+        handlers request.Handlers,
+        sessOpts Options,
+) error {
        // Region if not already set by user
        if len(aws.StringValue(cfg.Region)) == 0 {
@@ -464,164 +499,19 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
                }
        }
-        // Configure credentials if not already set
+        // Configure credentials if not already set by the user when creating the
+        // Session.
        if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
+                creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts)
-                // inspect the profile to see if a credential source has been specified.
+                if err != nil {
-                if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.CredentialSource) > 0 {
+                        return err
-                        // if both credential_source and source_profile have been set, return an error
-                        // as this is undefined behavior.
-                        if len(sharedCfg.AssumeRole.SourceProfile) > 0 {
-                                return ErrSharedConfigSourceCollision
-                        }
-                        // valid credential source values
-                        const (
-                                credSourceEc2Metadata  = "Ec2InstanceMetadata"
-                                credSourceEnvironment  = "Environment"
-                                credSourceECSContainer = "EcsContainer"
-                        )
-                        switch sharedCfg.AssumeRole.CredentialSource {
-                        case credSourceEc2Metadata:
-                                cfgCp := *cfg
-                                p := defaults.RemoteCredProvider(cfgCp, handlers)
-                                cfgCp.Credentials = credentials.NewCredentials(p)
-                                if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
-                                        // AssumeRole Token provider is required if doing Assume Role
-                                        // with MFA.
-                                        return AssumeRoleTokenProviderNotSetError{}
-                                }
-                                cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts)
-                        case credSourceEnvironment:
-                                cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                        envCfg.Creds,
-                                )
-                        case credSourceECSContainer:
-                                if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
-                                        return ErrSharedConfigECSContainerEnvVarEmpty
-                                }
-                                cfgCp := *cfg
-                                p := defaults.RemoteCredProvider(cfgCp, handlers)
-                                creds := credentials.NewCredentials(p)
-                                cfg.Credentials = creds
-                        default:
-                                return ErrSharedConfigInvalidCredSource
-                        }
-                        return nil
-                }
-                if len(envCfg.Creds.AccessKeyID) > 0 {
-                        cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                envCfg.Creds,
-                        )
-                } else if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.RoleARN) > 0 && sharedCfg.AssumeRoleSource != nil {
-                        cfgCp := *cfg
-                        cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                sharedCfg.AssumeRoleSource.Creds,
-                        )
-                        if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
-                                // AssumeRole Token provider is required if doing Assume Role
-                                // with MFA.
-                                return AssumeRoleTokenProviderNotSetError{}
-                        }
-                        cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts)
-                } else if len(sharedCfg.Creds.AccessKeyID) > 0 {
-                        cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                sharedCfg.Creds,
-                        )
-                } else if len(sharedCfg.CredentialProcess) > 0 {
-                        cfg.Credentials = processcreds.NewCredentials(
-                                sharedCfg.CredentialProcess,
-                        )
-                } else {
-                        // Fallback to default credentials provider, include mock errors
-                        // for the credential chain so user can identify why credentials
-                        // failed to be retrieved.
-                        cfg.Credentials = credentials.NewCredentials(&credentials.ChainProvider{
-                                VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
-                                Providers: []credentials.Provider{
-                                        &credProviderError{Err: awserr.New("EnvAccessKeyNotFound", "failed to find credentials in the environment.", nil)},
-                                        &credProviderError{Err: awserr.New("SharedCredsLoad", fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil)},
-                                        defaults.RemoteCredProvider(*cfg, handlers),
-                                },
-                        })
                }
+                cfg.Credentials = creds
        }
        return nil
 }
-func assumeRoleCredentials(cfg aws.Config, handlers request.Handlers, sharedCfg sharedConfig, sessOpts Options) *credentials.Credentials {
-        return stscreds.NewCredentials(
-                &Session{
-                        Config:   &cfg,
-                        Handlers: handlers.Copy(),
-                },
-                sharedCfg.AssumeRole.RoleARN,
-                func(opt *stscreds.AssumeRoleProvider) {
-                        opt.RoleSessionName = sharedCfg.AssumeRole.RoleSessionName
-                        // Assume role with external ID
-                        if len(sharedCfg.AssumeRole.ExternalID) > 0 {
-                                opt.ExternalID = aws.String(sharedCfg.AssumeRole.ExternalID)
-                        }
-                        // Assume role with MFA
-                        if len(sharedCfg.AssumeRole.MFASerial) > 0 {
-                                opt.SerialNumber = aws.String(sharedCfg.AssumeRole.MFASerial)
-                                opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
-                        }
-                },
-        )
-}
-// AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the
-// MFAToken option is not set when shared config is configured load assume a
-// role with an MFA token.
-type AssumeRoleTokenProviderNotSetError struct{}
-// Code is the short id of the error.
-func (e AssumeRoleTokenProviderNotSetError) Code() string {
-        return "AssumeRoleTokenProviderNotSetError"
-}
-// Message is the description of the error
-func (e AssumeRoleTokenProviderNotSetError) Message() string {
-        return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
-}
-// OrigErr is the underlying error that caused the failure.
-func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
-        return nil
-}
-// Error satisfies the error interface.
-func (e AssumeRoleTokenProviderNotSetError) Error() string {
-        return awserr.SprintError(e.Code(), e.Message(), "", nil)
-}
-type credProviderError struct {
-        Err error
-}
-var emptyCreds = credentials.Value{}
-func (c credProviderError) Retrieve() (credentials.Value, error) {
-        return credentials.Value{}, c.Err
-}
-func (c credProviderError) IsExpired() bool {
-        return true
-}
 func initHandlers(s *Session) {
        // Add the Validate parameter handler if it is not disabled.
        s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler)

diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go index be4b5f0..3a28da5 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
@@ -8,19 +8,17 @@ import (
8	"io/ioutil"	8	"io/ioutil"
9	"net/http"	9	"net/http"
10	"os"	10	"os"
		11	"time"
11		12
12	"github.com/aws/aws-sdk-go/aws"	13	"github.com/aws/aws-sdk-go/aws"
13	"github.com/aws/aws-sdk-go/aws/awserr"	14	"github.com/aws/aws-sdk-go/aws/awserr"
14	"github.com/aws/aws-sdk-go/aws/client"	15	"github.com/aws/aws-sdk-go/aws/client"
15	"github.com/aws/aws-sdk-go/aws/corehandlers"	16	"github.com/aws/aws-sdk-go/aws/corehandlers"
16	"github.com/aws/aws-sdk-go/aws/credentials"	17	"github.com/aws/aws-sdk-go/aws/credentials"
17	"github.com/aws/aws-sdk-go/aws/credentials/processcreds"
18	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
19	"github.com/aws/aws-sdk-go/aws/csm"	18	"github.com/aws/aws-sdk-go/aws/csm"
20	"github.com/aws/aws-sdk-go/aws/defaults"	19	"github.com/aws/aws-sdk-go/aws/defaults"
21	"github.com/aws/aws-sdk-go/aws/endpoints"	20	"github.com/aws/aws-sdk-go/aws/endpoints"
22	"github.com/aws/aws-sdk-go/aws/request"	21	"github.com/aws/aws-sdk-go/aws/request"
23	"github.com/aws/aws-sdk-go/internal/shareddefaults"
24	)	22	)
25		23
26	const (	24	const (
@@ -107,7 +105,15 @@ func New(cfgs ...aws.Config) Session {
107		105
108	s := deprecatedNewSession(cfgs...)	106	s := deprecatedNewSession(cfgs...)
109	if envCfg.CSMEnabled {	107	if envCfg.CSMEnabled {
110	enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger)	108	err := enableCSM(&s.Handlers, envCfg.CSMClientID,
		109	envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger)
		110	if err != nil {
		111	err = fmt.Errorf("failed to enable CSM, %v", err)
		112	s.Config.Logger.Log("ERROR:", err.Error())
		113	s.Handlers.Validate.PushBack(func(r *request.Request) {
		114	r.Error = err
		115	})
		116	}
111	}	117	}
112		118
113	return s	119	return s
@@ -210,6 +216,12 @@ type Options struct {
210	// the config enables assume role wit MFA via the mfa_serial field.	216	// the config enables assume role wit MFA via the mfa_serial field.
211	AssumeRoleTokenProvider func() (string, error)	217	AssumeRoleTokenProvider func() (string, error)
212		218
		219	// When the SDK's shared config is configured to assume a role this option
		220	// may be provided to set the expiry duration of the STS credentials.
		221	// Defaults to 15 minutes if not set as documented in the
		222	// stscreds.AssumeRoleProvider.
		223	AssumeRoleDuration time.Duration
		224
213	// Reader for a custom Credentials Authority (CA) bundle in PEM format that	225	// Reader for a custom Credentials Authority (CA) bundle in PEM format that
214	// the SDK will use instead of the default system's root CA bundle. Use this	226	// the SDK will use instead of the default system's root CA bundle. Use this
215	// only if you want to replace the CA bundle the SDK uses for TLS requests.	227	// only if you want to replace the CA bundle the SDK uses for TLS requests.
@@ -224,6 +236,12 @@ type Options struct {
224	// to also enable this feature. CustomCABundle session option field has priority	236	// to also enable this feature. CustomCABundle session option field has priority
225	// over the AWS_CA_BUNDLE environment variable, and will be used if both are set.	237	// over the AWS_CA_BUNDLE environment variable, and will be used if both are set.
226	CustomCABundle io.Reader	238	CustomCABundle io.Reader
		239
		240	// The handlers that the session and all API clients will be created with.
		241	// This must be a complete set of handlers. Use the defaults.Handlers()
		242	// function to initialize this value before changing the handlers to be
		243	// used by the SDK.
		244	Handlers request.Handlers
227	}	245	}
228		246
229	// NewSessionWithOptions returns a new Session created from SDK defaults, config files,	247	// NewSessionWithOptions returns a new Session created from SDK defaults, config files,
@@ -329,27 +347,36 @@ func deprecatedNewSession(cfgs ...aws.Config) Session {
329	return s	347	return s
330	}	348	}
331		349
332	func enableCSM(handlers *request.Handlers, clientID string, port string, logger aws.Logger) {	350	func enableCSM(handlers *request.Handlers,
333	logger.Log("Enabling CSM")	351	clientID, host, port string,
334	if len(port) == 0 {	352	logger aws.Logger,
335	port = csm.DefaultPort	353	) error {
		354	if logger != nil {
		355	logger.Log("Enabling CSM")
336	}	356	}
337		357
338	r, err := csm.Start(clientID, "127.0.0.1:"+port)	358	r, err := csm.Start(clientID, csm.AddressWithDefaults(host, port))
339	if err != nil {	359	if err != nil {
340	return	360	return err
341	}	361	}
342	r.InjectHandlers(handlers)	362	r.InjectHandlers(handlers)
		363
		364	return nil
343	}	365	}
344		366
345	func newSession(opts Options, envCfg envConfig, cfgs ...aws.Config) (Session, error) {	367	func newSession(opts Options, envCfg envConfig, cfgs ...aws.Config) (Session, error) {
346	cfg := defaults.Config()	368	cfg := defaults.Config()
347	handlers := defaults.Handlers()	369
		370	handlers := opts.Handlers
		371	if handlers.IsEmpty() {
		372	handlers = defaults.Handlers()
		373	}
348		374
349	// Get a merged version of the user provided config to determine if	375	// Get a merged version of the user provided config to determine if
350	// credentials were.	376	// credentials were.
351	userCfg := &aws.Config{}	377	userCfg := &aws.Config{}
352	userCfg.MergeIn(cfgs...)	378	userCfg.MergeIn(cfgs...)
		379	cfg.MergeIn(userCfg)
353		380
354	// Ordered config files will be loaded in with later files overwriting	381	// Ordered config files will be loaded in with later files overwriting
355	// previous config file values.	382	// previous config file values.
@@ -366,9 +393,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...aws.Config) (Session,
366	}	393	}
367		394
368	// Load additional config from file(s)	395	// Load additional config from file(s)
369	sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles)	396	sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles, envCfg.EnableSharedConfig)
370	if err != nil {	397	if err != nil {
371	return nil, err	398	if _, ok := err.(SharedConfigProfileNotExistsError); !ok {
		399	return nil, err
		400	}
372	}	401	}
373		402
374	if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil {	403	if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil {
@@ -382,7 +411,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...aws.Config) (Session,
382		411
383	initHandlers(s)	412	initHandlers(s)
384	if envCfg.CSMEnabled {	413	if envCfg.CSMEnabled {
385	enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger)	414	err := enableCSM(&s.Handlers, envCfg.CSMClientID,
		415	envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger)
		416	if err != nil {
		417	return nil, err
		418	}
386	}	419	}
387		420
388	// Setup HTTP client with custom cert bundle if enabled	421	// Setup HTTP client with custom cert bundle if enabled
@@ -443,9 +476,11 @@ func loadCertPool(r io.Reader) (*x509.CertPool, error) {
443	return p, nil	476	return p, nil
444	}	477	}
445		478
446	func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig, handlers request.Handlers, sessOpts Options) error {	479	func mergeConfigSrcs(cfg, userCfg *aws.Config,
447	// Merge in user provided configuration	480	envCfg envConfig, sharedCfg sharedConfig,
448	cfg.MergeIn(userCfg)	481	handlers request.Handlers,
		482	sessOpts Options,
		483	) error {
449		484
450	// Region if not already set by user	485	// Region if not already set by user
451	if len(aws.StringValue(cfg.Region)) == 0 {	486	if len(aws.StringValue(cfg.Region)) == 0 {
@@ -464,164 +499,19 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
464	}	499	}
465	}	500	}
466		501
467	// Configure credentials if not already set	502	// Configure credentials if not already set by the user when creating the
		503	// Session.
468	if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {	504	if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
469		505	creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts)
470	// inspect the profile to see if a credential source has been specified.	506	if err != nil {
471	if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.CredentialSource) > 0 {	507	return err
472
473	// if both credential_source and source_profile have been set, return an error
474	// as this is undefined behavior.
475	if len(sharedCfg.AssumeRole.SourceProfile) > 0 {
476	return ErrSharedConfigSourceCollision
477	}
478
479	// valid credential source values
480	const (
481	credSourceEc2Metadata = "Ec2InstanceMetadata"
482	credSourceEnvironment = "Environment"
483	credSourceECSContainer = "EcsContainer"
484	)
485
486	switch sharedCfg.AssumeRole.CredentialSource {
487	case credSourceEc2Metadata:
488	cfgCp := *cfg
489	p := defaults.RemoteCredProvider(cfgCp, handlers)
490	cfgCp.Credentials = credentials.NewCredentials(p)
491
492	if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
493	// AssumeRole Token provider is required if doing Assume Role
494	// with MFA.
495	return AssumeRoleTokenProviderNotSetError{}
496	}
497
498	cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts)
499	case credSourceEnvironment:
500	cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
501	envCfg.Creds,
502	)
503	case credSourceECSContainer:
504	if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
505	return ErrSharedConfigECSContainerEnvVarEmpty
506	}
507
508	cfgCp := *cfg
509	p := defaults.RemoteCredProvider(cfgCp, handlers)
510	creds := credentials.NewCredentials(p)
511
512	cfg.Credentials = creds
513	default:
514	return ErrSharedConfigInvalidCredSource
515	}
516
517	return nil
518	}
519
520	if len(envCfg.Creds.AccessKeyID) > 0 {
521	cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
522	envCfg.Creds,
523	)
524	} else if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.RoleARN) > 0 && sharedCfg.AssumeRoleSource != nil {
525	cfgCp := *cfg
526	cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds(
527	sharedCfg.AssumeRoleSource.Creds,
528	)
529
530	if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
531	// AssumeRole Token provider is required if doing Assume Role
532	// with MFA.
533	return AssumeRoleTokenProviderNotSetError{}
534	}
535
536	cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts)
537	} else if len(sharedCfg.Creds.AccessKeyID) > 0 {
538	cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
539	sharedCfg.Creds,
540	)
541	} else if len(sharedCfg.CredentialProcess) > 0 {
542	cfg.Credentials = processcreds.NewCredentials(
543	sharedCfg.CredentialProcess,
544	)
545	} else {
546	// Fallback to default credentials provider, include mock errors
547	// for the credential chain so user can identify why credentials
548	// failed to be retrieved.
549	cfg.Credentials = credentials.NewCredentials(&credentials.ChainProvider{
550	VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
551	Providers: []credentials.Provider{
552	&credProviderError{Err: awserr.New("EnvAccessKeyNotFound", "failed to find credentials in the environment.", nil)},
553	&credProviderError{Err: awserr.New("SharedCredsLoad", fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil)},
554	defaults.RemoteCredProvider(*cfg, handlers),
555	},
556	})
557	}	508	}
		509	cfg.Credentials = creds
558	}	510	}
559		511
560	return nil	512	return nil
561	}	513	}
562		514
563	func assumeRoleCredentials(cfg aws.Config, handlers request.Handlers, sharedCfg sharedConfig, sessOpts Options) *credentials.Credentials {
564	return stscreds.NewCredentials(
565	&Session{
566	Config: &cfg,
567	Handlers: handlers.Copy(),
568	},
569	sharedCfg.AssumeRole.RoleARN,
570	func(opt *stscreds.AssumeRoleProvider) {
571	opt.RoleSessionName = sharedCfg.AssumeRole.RoleSessionName
572
573	// Assume role with external ID
574	if len(sharedCfg.AssumeRole.ExternalID) > 0 {
575	opt.ExternalID = aws.String(sharedCfg.AssumeRole.ExternalID)
576	}
577
578	// Assume role with MFA
579	if len(sharedCfg.AssumeRole.MFASerial) > 0 {
580	opt.SerialNumber = aws.String(sharedCfg.AssumeRole.MFASerial)
581	opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
582	}
583	},
584	)
585	}
586
587	// AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the
588	// MFAToken option is not set when shared config is configured load assume a
589	// role with an MFA token.
590	type AssumeRoleTokenProviderNotSetError struct{}
591
592	// Code is the short id of the error.
593	func (e AssumeRoleTokenProviderNotSetError) Code() string {
594	return "AssumeRoleTokenProviderNotSetError"
595	}
596
597	// Message is the description of the error
598	func (e AssumeRoleTokenProviderNotSetError) Message() string {
599	return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
600	}
601
602	// OrigErr is the underlying error that caused the failure.
603	func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
604	return nil
605	}
606
607	// Error satisfies the error interface.
608	func (e AssumeRoleTokenProviderNotSetError) Error() string {
609	return awserr.SprintError(e.Code(), e.Message(), "", nil)
610	}
611
612	type credProviderError struct {
613	Err error
614	}
615
616	var emptyCreds = credentials.Value{}
617
618	func (c credProviderError) Retrieve() (credentials.Value, error) {
619	return credentials.Value{}, c.Err
620	}
621	func (c credProviderError) IsExpired() bool {
622	return true
623	}
624
625	func initHandlers(s *Session) {	515	func initHandlers(s *Session) {
626	// Add the Validate parameter handler if it is not disabled.	516	// Add the Validate parameter handler if it is not disabled.
627	s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler)	517	s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler)