Support standard AWS config in the S3 remote backend. (#5270)

This commit is contained in:
John Engelman 2016-05-06 11:52:18 -05:00 committed by Radek Simko
parent 2476dcbcae
commit 14f6f90621
2 changed files with 19 additions and 22 deletions

View File

@ -10,12 +10,11 @@ import (
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3" "github.com/aws/aws-sdk-go/service/s3"
"github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-multierror"
terraformAws "github.com/hashicorp/terraform/builtin/providers/aws"
) )
func s3Factory(conf map[string]string) (Client, error) { func s3Factory(conf map[string]string) (Client, error) {
@ -60,29 +59,24 @@ func s3Factory(conf map[string]string) (Client, error) {
} }
kmsKeyID := conf["kms_key_id"] kmsKeyID := conf["kms_key_id"]
accessKeyId := conf["access_key"] var errs []error
secretAccessKey := conf["secret_key"] creds := terraformAws.GetCredentials(conf["access_key"], conf["secret_key"], conf["token"], conf["profile"], conf["shared_credentials_file"])
// Call Get to check for credential provider. If nothing found, we'll get an
credentialsProvider := credentials.NewChainCredentials([]credentials.Provider{ // error, and we can present it nicely to the user
&credentials.StaticProvider{Value: credentials.Value{ _, err := creds.Get()
AccessKeyID: accessKeyId,
SecretAccessKey: secretAccessKey,
SessionToken: "",
}},
&credentials.EnvProvider{},
&credentials.SharedCredentialsProvider{Filename: "", Profile: ""},
&ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(session.New())},
})
// Make sure we got some sort of working credentials.
_, err := credentialsProvider.Get()
if err != nil { if err != nil {
return nil, fmt.Errorf("Unable to determine AWS credentials. Set the AWS_ACCESS_KEY_ID and "+ if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
"AWS_SECRET_ACCESS_KEY environment variables.\n(error was: %s)", err) errs = append(errs, fmt.Errorf(`No valid credential sources found for AWS S3 remote.
Please see https://www.terraform.io/docs/state/remote/s3.html for more information on
providing credentials for the AWS S3 remote`))
} else {
errs = append(errs, fmt.Errorf("Error loading credentials for AWS S3 remote: %s", err))
}
return nil, &multierror.Error{Errors: errs}
} }
awsConfig := &aws.Config{ awsConfig := &aws.Config{
Credentials: credentialsProvider, Credentials: creds,
Endpoint: aws.String(endpoint), Endpoint: aws.String(endpoint),
Region: aws.String(regionName), Region: aws.String(regionName),
HTTPClient: cleanhttp.DefaultClient(), HTTPClient: cleanhttp.DefaultClient(),

View File

@ -56,3 +56,6 @@ The following configuration options / environment variables are supported:
* `access_key` / `AWS_ACCESS_KEY_ID` - (Optional) AWS access key * `access_key` / `AWS_ACCESS_KEY_ID` - (Optional) AWS access key
* `secret_key` / `AWS_SECRET_ACCESS_KEY` - (Optional) AWS secret key * `secret_key` / `AWS_SECRET_ACCESS_KEY` - (Optional) AWS secret key
* `kms_key_id` - (Optional) The ARN of a KMS Key to use for encrypting the state. * `kms_key_id` - (Optional) The ARN of a KMS Key to use for encrypting the state.
* `profile` - (Optional) This is the AWS profile name as set in the shared credentials file.
* `shared_credentials_file` - (Optional) This is the path to the shared credentials file. If this is not set and a profile is specified, ~/.aws/credentials will be used.
* `token` - (Optional) Use this to set an MFA token. It can also be sourced from the `AWS_SECURITY_TOKEN` environment variable.