Merge pull request #2959 from hashicorp/b-aws-iam-validation

provider/aws: Fail silently in ValidateCredentials for IAM users
11 years ago · 6c7fe13d93
parent e38615000a eb90457223
commit 6c7fe13d93
1 changed files with 11 additions and 1 deletions
--- a/builtin/providers/aws/config.go
+++ b/builtin/providers/aws/config.go
@ -180,11 +180,21 @@ func (c *Config) ValidateRegion() error {
 	return fmt.Errorf("Not a valid region: %s", c.Region)
 }

-// Validate credentials early and fail before we do any graph walking
+// Validate credentials early and fail before we do any graph walking.
+// In the case of an IAM role/profile with insuffecient privileges, fail
+// silently
 func (c *Config) ValidateCredentials(iamconn *iam.IAM) error {
 	_, err := iamconn.GetUser(nil)

 	if awsErr, ok := err.(awserr.Error); ok {
+
+		if awsErr.Code() == "AccessDenied" || awsErr.Code() == "ValidationError" {
+			log.Printf("[WARN] AccessDenied Error with iam.GetUser, assuming IAM profile")
+			// User may be an IAM instance profile, or otherwise IAM role without the
+			// GetUser permissions, so fail silently
+			return nil
+		}
+
 		if awsErr.Code() == "SignatureDoesNotMatch" {
 			return fmt.Errorf("Failed authenticating with AWS: please verify credentials")
 		}