Commit c9bf0401 authored by Sean McGivern's avatar Sean McGivern

Only try AWS instance profile creds if needed

`Aws::InstanceProfileCredentials.new` actually performs an API request to AWS,
which can result in us hitting a rate limit.

Rewrite `Gitlab::Elastic::Client.resolve_aws_credentials` to the slightly more
verbose, but equally clear, variant, to ensure that we don't call this unless we
have to - i.e. the static credentials do not work.
parent 8e70838c
---
title: Stop authorization attempts with instance profile when static credentials are
provided for AWS Elasticsearch
merge_request:
author:
type: fixed
...@@ -32,13 +32,15 @@ module Gitlab ...@@ -32,13 +32,15 @@ module Gitlab
# Resolve credentials in order # Resolve credentials in order
# 1. Static config # 1. Static config
# 2. ec2 instance profile # 2. ec2 instance profile
credentials = [ static_credentials = Aws::Credentials.new(config[:aws_access_key], config[:aws_secret_access_key])
Aws::Credentials.new(config[:aws_access_key], config[:aws_secret_access_key]),
Aws::InstanceProfileCredentials.new return static_credentials if static_credentials&.set?
]
credentials.find do |creds| # Instantiating this will perform an API call, so only do so if the
creds&.set? # static credentials did not work
end instance_credentials = Aws::InstanceProfileCredentials.new
instance_credentials if instance_credentials&.set?
end end
end end
end end
......
...@@ -28,7 +28,7 @@ describe Gitlab::Elastic::Client do ...@@ -28,7 +28,7 @@ describe Gitlab::Elastic::Client do
.to_return(status: 200, body: creds_response, headers: {}) .to_return(status: 200, body: creds_response, headers: {})
end end
describe 'build' do describe '.build' do
let(:client) { described_class.build(params) } let(:client) { described_class.build(params) }
context 'without credentials' do context 'without credentials' do
...@@ -73,10 +73,10 @@ describe Gitlab::Elastic::Client do ...@@ -73,10 +73,10 @@ describe Gitlab::Elastic::Client do
end end
end end
describe 'resolve_aws_credentials' do describe '.resolve_aws_credentials' do
let(:creds) { described_class.resolve_aws_credentials(params) } let(:creds) { described_class.resolve_aws_credentials(params) }
context 'with AWS IAM static credentials' do context 'when the AWS IAM static credentials are valid' do
let(:params) do let(:params) do
{ {
url: 'http://example-elastic:9200', url: 'http://example-elastic:9200',
...@@ -87,44 +87,44 @@ describe Gitlab::Elastic::Client do ...@@ -87,44 +87,44 @@ describe Gitlab::Elastic::Client do
} }
end end
it 'returns credentials from static credentials' do it 'returns credentials from static credentials without making an HTTP request' do
stub_instance_credentials(creds_fail_response)
expect(creds.credentials.access_key_id).to eq '0' expect(creds.credentials.access_key_id).to eq '0'
expect(creds.credentials.secret_access_key).to eq '0' expect(creds.credentials.secret_access_key).to eq '0'
end end
end end
context 'with AWS ec2 instance profile' do context 'when the AWS IAM static credentials are invalid' do
let(:params) do context 'with AWS ec2 instance profile' do
{ let(:params) do
url: 'http://example-elastic:9200', {
aws: true, url: 'http://example-elastic:9200',
aws_region: 'us-east-1' aws: true,
} aws_region: 'us-east-1'
end }
end
it 'returns credentials from ec2 instance profile' do it 'returns credentials from ec2 instance profile' do
stub_instance_credentials(creds_valid_response) stub_instance_credentials(creds_valid_response)
expect(creds.credentials.access_key_id).to eq '0' expect(creds.credentials.access_key_id).to eq '0'
expect(creds.credentials.secret_access_key).to eq '0' expect(creds.credentials.secret_access_key).to eq '0'
end
end end
end
context 'with AWS no credentials' do context 'with AWS no credentials' do
let(:params) do let(:params) do
{ {
url: 'http://example-elastic:9200', url: 'http://example-elastic:9200',
aws: true, aws: true,
aws_region: 'us-east-1' aws_region: 'us-east-1'
} }
end end
it 'returns nil' do it 'returns nil' do
stub_instance_credentials(creds_fail_response) stub_instance_credentials(creds_fail_response)
expect(creds).to be_nil expect(creds).to be_nil
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment