diff --git a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/credentials/manager.go b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/credentials/manager.go index 99de1079454..3afaf541793 100644 --- a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/credentials/manager.go +++ b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/credentials/manager.go @@ -58,7 +58,8 @@ type IAMRoleCredentials struct { // Expiration is a string instead of a timestamp. This is to avoid any loss of context // while marshalling/unmarshalling this field in the agent. The agent just echo's // whatever is sent by the backend. - Expiration string `json:"Expiration"` + Expiration string `json:"Expiration"` + CredentialScope string `json:"CredentialScope"` // RoleType distinguishes between TaskRole and ExecutionRole for the // credentials that are sent from the backend RoleType string `json:"-"` @@ -100,6 +101,7 @@ func IAMRoleCredentialsFromACS(roleCredentials *ecsacs.IAMRoleCredentials, roleT AccessKeyID: aws.StringValue(roleCredentials.AccessKeyId), SecretAccessKey: aws.StringValue(roleCredentials.SecretAccessKey), Expiration: aws.StringValue(roleCredentials.Expiration), + CredentialScope: aws.StringValue(roleCredentials.CredentialScope), RoleType: roleType, } } diff --git a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/v1/credentials_handler.go b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/v1/credentials_handler.go index 47c5dcd2b24..c4b74153260 100644 --- a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/v1/credentials_handler.go +++ b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/v1/credentials_handler.go @@ -125,14 +125,14 @@ func processCredentialsRequest( return nil, "", "", msg, errors.New(errText) } - seelog.Infof("Processing credential request, credentialType=%s taskARN=%s", - credentials.IAMRoleCredentials.RoleType, credentials.ARN) + seelog.Infof("Processing credential request, credentialType=%s taskARN=%s credentialScope=%s", + credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope) if utils.ZeroOrNil(credentials.ARN) && utils.ZeroOrNil(credentials.IAMRoleCredentials) { // This can happen when the agent is restarted and is reconciling its state. errText := errPrefix + "Credentials uninitialized for ID" - seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s: %s", - credentials.IAMRoleCredentials.RoleType, credentials.ARN, errText) + seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s credentialScope=%s: %s", + credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope, errText) msg := &handlersutils.ErrorMessage{ Code: ErrCredentialsUninitialized, Message: errText, @@ -144,8 +144,8 @@ func processCredentialsRequest( credentialsJSON, err := json.Marshal(credentials.IAMRoleCredentials) if err != nil { errText := errPrefix + "Error marshaling credentials" - seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s: %s", - credentials.IAMRoleCredentials.RoleType, credentials.ARN, errText) + seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s credentialScope=%s: %s", + credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope, errText) msg := &handlersutils.ErrorMessage{ Code: ErrInternalServer, Message: "Internal server error", diff --git a/ecs-agent/acs/session/session_test.go b/ecs-agent/acs/session/session_test.go index 170cfccd898..1fcda079708 100644 --- a/ecs-agent/acs/session/session_test.go +++ b/ecs-agent/acs/session/session_test.go @@ -95,7 +95,8 @@ const ( "expiration": "2016-03-25T06:17:19.318+0000", "roleArn": "r1", "secretAccessKey": "secretAccessKey", - "sessionToken": "token" + "sessionToken": "token", + "credentialScope": "scope" }, "version": "3", "volumes": [], @@ -125,7 +126,8 @@ const ( "expiration": "later", "roleArn": "r1", "secretAccessKey": "newskid", - "sessionToken": "newstkn" + "sessionToken": "newstkn", + "credentialScope": "cdsp" } } } @@ -976,6 +978,7 @@ func TestStartSessionHandlesRefreshCredentialsMessages(t *testing.T) { SessionToken: "newstkn", Expiration: "later", CredentialsID: credentialsIdInRefreshMessage, + CredentialScope: "cdsp", RoleType: rolecredentials.ApplicationRoleType, }, } diff --git a/ecs-agent/credentials/manager.go b/ecs-agent/credentials/manager.go index 99de1079454..3afaf541793 100644 --- a/ecs-agent/credentials/manager.go +++ b/ecs-agent/credentials/manager.go @@ -58,7 +58,8 @@ type IAMRoleCredentials struct { // Expiration is a string instead of a timestamp. This is to avoid any loss of context // while marshalling/unmarshalling this field in the agent. The agent just echo's // whatever is sent by the backend. - Expiration string `json:"Expiration"` + Expiration string `json:"Expiration"` + CredentialScope string `json:"CredentialScope"` // RoleType distinguishes between TaskRole and ExecutionRole for the // credentials that are sent from the backend RoleType string `json:"-"` @@ -100,6 +101,7 @@ func IAMRoleCredentialsFromACS(roleCredentials *ecsacs.IAMRoleCredentials, roleT AccessKeyID: aws.StringValue(roleCredentials.AccessKeyId), SecretAccessKey: aws.StringValue(roleCredentials.SecretAccessKey), Expiration: aws.StringValue(roleCredentials.Expiration), + CredentialScope: aws.StringValue(roleCredentials.CredentialScope), RoleType: roleType, } } diff --git a/ecs-agent/credentials/manager_test.go b/ecs-agent/credentials/manager_test.go index ec005d9def5..e3fea9bc237 100644 --- a/ecs-agent/credentials/manager_test.go +++ b/ecs-agent/credentials/manager_test.go @@ -35,6 +35,7 @@ func TestIAMRoleCredentialsFromACS(t *testing.T) { RoleArn: aws.String("roleArn"), SecretAccessKey: aws.String("OhhSecret"), SessionToken: aws.String("sessionToken"), + CredentialScope: aws.String("credentialScope"), } roleType := "roleType" @@ -47,6 +48,7 @@ func TestIAMRoleCredentialsFromACS(t *testing.T) { RoleArn: "roleArn", SecretAccessKey: "OhhSecret", SessionToken: "sessionToken", + CredentialScope: "credentialScope", RoleType: "roleType", } assert.Equal(t, credentials, expectedCredentials, "Mismatch between expected and constructed credentials") @@ -99,6 +101,7 @@ func TestSetAndGetTaskCredentialsHappyPath(t *testing.T) { SessionToken: "stkn", Expiration: "ts", CredentialsID: "cid1", + CredentialScope: "cdsp", }, } @@ -118,6 +121,7 @@ func TestSetAndGetTaskCredentialsHappyPath(t *testing.T) { SessionToken: "stkn2", Expiration: "ts2", CredentialsID: "cid1", + CredentialScope: "cdsp", }, } err = manager.SetTaskCredentials(&updatedCredentials) @@ -138,6 +142,7 @@ func TestGenerateCredentialsEndpointRelativeURI(t *testing.T) { SessionToken: "stkn", Expiration: "ts", CredentialsID: "cid1", + CredentialScope: "cdsp", } generatedURI := credentials.GenerateCredentialsEndpointRelativeURI() expectedURI := fmt.Sprintf(credentialsEndpointRelativeURIFormat, CredentialsPath, "cid1") @@ -157,6 +162,7 @@ func TestRemoveExistingCredentials(t *testing.T) { SessionToken: "stkn", Expiration: "ts", CredentialsID: "cid1", + CredentialScope: "cdsp", }, } err := manager.SetTaskCredentials(&credentials) diff --git a/ecs-agent/tmds/handlers/credentials_handler_test.go b/ecs-agent/tmds/handlers/credentials_handler_test.go index a9c56c41caf..dbcb8ddb75c 100644 --- a/ecs-agent/tmds/handlers/credentials_handler_test.go +++ b/ecs-agent/tmds/handlers/credentials_handler_test.go @@ -268,6 +268,7 @@ func testCredentialsHandlerSuccess(t *testing.T, makePath MakePath, makeHandler SecretAccessKey: "secret_access_key", SessionToken: "session_token", Expiration: "expiration", + CredentialScope: "credential_scope", RoleType: credentials.ApplicationRoleType, } @@ -278,6 +279,7 @@ func testCredentialsHandlerSuccess(t *testing.T, makePath MakePath, makeHandler SecretAccessKey: "secret_access_key", SessionToken: "session_token", Expiration: "expiration", + CredentialScope: "credential_scope", } auditLogger.EXPECT().Log( diff --git a/ecs-agent/tmds/handlers/v1/credentials_handler.go b/ecs-agent/tmds/handlers/v1/credentials_handler.go index 47c5dcd2b24..c4b74153260 100644 --- a/ecs-agent/tmds/handlers/v1/credentials_handler.go +++ b/ecs-agent/tmds/handlers/v1/credentials_handler.go @@ -125,14 +125,14 @@ func processCredentialsRequest( return nil, "", "", msg, errors.New(errText) } - seelog.Infof("Processing credential request, credentialType=%s taskARN=%s", - credentials.IAMRoleCredentials.RoleType, credentials.ARN) + seelog.Infof("Processing credential request, credentialType=%s taskARN=%s credentialScope=%s", + credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope) if utils.ZeroOrNil(credentials.ARN) && utils.ZeroOrNil(credentials.IAMRoleCredentials) { // This can happen when the agent is restarted and is reconciling its state. errText := errPrefix + "Credentials uninitialized for ID" - seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s: %s", - credentials.IAMRoleCredentials.RoleType, credentials.ARN, errText) + seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s credentialScope=%s: %s", + credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope, errText) msg := &handlersutils.ErrorMessage{ Code: ErrCredentialsUninitialized, Message: errText, @@ -144,8 +144,8 @@ func processCredentialsRequest( credentialsJSON, err := json.Marshal(credentials.IAMRoleCredentials) if err != nil { errText := errPrefix + "Error marshaling credentials" - seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s: %s", - credentials.IAMRoleCredentials.RoleType, credentials.ARN, errText) + seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s credentialScope=%s: %s", + credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope, errText) msg := &handlersutils.ErrorMessage{ Code: ErrInternalServer, Message: "Internal server error",