Commit c9bf0401 authored by Sean McGivern's avatar Sean McGivern

Only try AWS instance profile creds if needed

`Aws::InstanceProfileCredentials.new` actually performs an API request to AWS,
which can result in us hitting a rate limit.

Rewrite `Gitlab::Elastic::Client.resolve_aws_credentials` to the slightly more
verbose, but equally clear, variant, to ensure that we don't call this unless we
have to - i.e. the static credentials do not work.
parent 8e70838c
---
title: Stop authorization attempts with instance profile when static credentials are
provided for AWS Elasticsearch
merge_request:
author:
type: fixed
......@@ -32,13 +32,15 @@ module Gitlab
# Resolve credentials in order
# 1. Static config
# 2. ec2 instance profile
credentials = [
Aws::Credentials.new(config[:aws_access_key], config[:aws_secret_access_key]),
Aws::InstanceProfileCredentials.new
]
credentials.find do |creds|
creds&.set?
end
static_credentials = Aws::Credentials.new(config[:aws_access_key], config[:aws_secret_access_key])
return static_credentials if static_credentials&.set?
# Instantiating this will perform an API call, so only do so if the
# static credentials did not work
instance_credentials = Aws::InstanceProfileCredentials.new
instance_credentials if instance_credentials&.set?
end
end
end
......
......@@ -28,7 +28,7 @@ describe Gitlab::Elastic::Client do
.to_return(status: 200, body: creds_response, headers: {})
end
describe 'build' do
describe '.build' do
let(:client) { described_class.build(params) }
context 'without credentials' do
......@@ -73,10 +73,10 @@ describe Gitlab::Elastic::Client do
end
end
describe 'resolve_aws_credentials' do
describe '.resolve_aws_credentials' do
let(:creds) { described_class.resolve_aws_credentials(params) }
context 'with AWS IAM static credentials' do
context 'when the AWS IAM static credentials are valid' do
let(:params) do
{
url: 'http://example-elastic:9200',
......@@ -87,44 +87,44 @@ describe Gitlab::Elastic::Client do
}
end
it 'returns credentials from static credentials' do
stub_instance_credentials(creds_fail_response)
it 'returns credentials from static credentials without making an HTTP request' do
expect(creds.credentials.access_key_id).to eq '0'
expect(creds.credentials.secret_access_key).to eq '0'
end
end
context 'with AWS ec2 instance profile' do
let(:params) do
{
url: 'http://example-elastic:9200',
aws: true,
aws_region: 'us-east-1'
}
end
context 'when the AWS IAM static credentials are invalid' do
context 'with AWS ec2 instance profile' do
let(:params) do
{
url: 'http://example-elastic:9200',
aws: true,
aws_region: 'us-east-1'
}
end
it 'returns credentials from ec2 instance profile' do
stub_instance_credentials(creds_valid_response)
it 'returns credentials from ec2 instance profile' do
stub_instance_credentials(creds_valid_response)
expect(creds.credentials.access_key_id).to eq '0'
expect(creds.credentials.secret_access_key).to eq '0'
expect(creds.credentials.access_key_id).to eq '0'
expect(creds.credentials.secret_access_key).to eq '0'
end
end
end
context 'with AWS no credentials' do
let(:params) do
{
url: 'http://example-elastic:9200',
aws: true,
aws_region: 'us-east-1'
}
end
context 'with AWS no credentials' do
let(:params) do
{
url: 'http://example-elastic:9200',
aws: true,
aws_region: 'us-east-1'
}
end
it 'returns nil' do
stub_instance_credentials(creds_fail_response)
it 'returns nil' do
stub_instance_credentials(creds_fail_response)
expect(creds).to be_nil
expect(creds).to be_nil
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment