async def test_disabling_env_var_not_true(self): url = 'https://example.com/' env = {'AWS_EC2_METADATA_DISABLED': 'false'} self.add_get_token_imds_response(token='token') self.add_get_role_name_imds_response() self.add_get_credentials_imds_response() fetcher = AioInstanceMetadataFetcher(base_url=url, env=env) result = await fetcher.retrieve_iam_role_credentials() self.assertEqual(result, self._expected_creds)
def create_credential_resolver(session, cache=None, region_name=None): """Create a default credential resolver. This creates a pre-configured credential resolver that includes the default lookup chain for credentials. """ profile_name = session.get_config_variable('profile') or 'default' metadata_timeout = session.get_config_variable('metadata_service_timeout') num_attempts = session.get_config_variable('metadata_service_num_attempts') disable_env_vars = session.instance_variables().get('profile') is not None if cache is None: cache = {} env_provider = AioEnvProvider() container_provider = AioContainerProvider() instance_metadata_provider = AioInstanceMetadataProvider( iam_role_fetcher=AioInstanceMetadataFetcher( timeout=metadata_timeout, num_attempts=num_attempts, user_agent=session.user_agent())) profile_provider_builder = AioProfileProviderBuilder( session, cache=cache, region_name=region_name) assume_role_provider = AioAssumeRoleProvider( load_config=lambda: session.full_config, client_creator=_get_client_creator(session, region_name), cache=cache, profile_name=profile_name, credential_sourcer=AioCanonicalNameCredentialSourcer( [env_provider, container_provider, instance_metadata_provider]), profile_provider_builder=profile_provider_builder, ) pre_profile = [ env_provider, assume_role_provider, ] profile_providers = profile_provider_builder.providers( profile_name=profile_name, disable_env_vars=disable_env_vars, ) post_profile = [ AioOriginalEC2Provider(), AioBotoProvider(), container_provider, instance_metadata_provider, ] providers = pre_profile + profile_providers + post_profile if disable_env_vars: # An explicitly provided profile will negate an EnvProvider. # We will defer to providers that understand the "profile" # concept to retrieve credentials. # The one edge case if is all three values are provided via # env vars: # export AWS_ACCESS_KEY_ID=foo # export AWS_SECRET_ACCESS_KEY=bar # export AWS_PROFILE=baz # Then, just like our client() calls, the explicit credentials # will take precedence. # # This precedence is enforced by leaving the EnvProvider in the chain. # This means that the only way a "profile" would win is if the # EnvProvider does not return credentials, which is what we want # in this scenario. providers.remove(env_provider) logger.debug('Skipping environment variable credential check' ' because profile name was explicitly set.') resolver = AioCredentialResolver(providers=providers) return resolver
async def test_disabled_by_environment_mixed_case(self): env = {'AWS_EC2_METADATA_DISABLED': 'tRuE'} fetcher = AioInstanceMetadataFetcher(env=env) result = await fetcher.retrieve_iam_role_credentials() self.assertEqual(result, {}) self._send.assert_not_called()