From 2dd7e72674c82897abaaf710cdf32d77dd1c3368 Mon Sep 17 00:00:00 2001 From: Brian Antonelli Date: Thu, 27 Apr 2017 11:24:53 -0400 Subject: [PATCH] Fix for getting partition for federated users (#13992) Federated users calling `iam:GetUser` will get the error code `InvalidClientTokenId` so this shouldn't bail out but instead continue on to try `sts:GetCallerIdentity`. --- builtin/providers/aws/auth_helpers.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/providers/aws/auth_helpers.go b/builtin/providers/aws/auth_helpers.go index 1a73c6e8b5..e808d4d390 100644 --- a/builtin/providers/aws/auth_helpers.go +++ b/builtin/providers/aws/auth_helpers.go @@ -54,7 +54,7 @@ func GetAccountInfo(iamconn *iam.IAM, stsconn *sts.STS, authProviderName string) awsErr, ok := err.(awserr.Error) // AccessDenied and ValidationError can be raised // if credentials belong to federated profile, so we ignore these - if !ok || (awsErr.Code() != "AccessDenied" && awsErr.Code() != "ValidationError") { + if !ok || (awsErr.Code() != "AccessDenied" && awsErr.Code() != "ValidationError" && awsErr.Code() != "InvalidClientTokenId") { return "", "", fmt.Errorf("Failed getting account ID via 'iam:GetUser': %s", err) } log.Printf("[DEBUG] Getting account ID via iam:GetUser failed: %s", err)