diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index cdbc189c1b..a91ba32731 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -33,10 +33,6 @@ jobs: - os: ubuntu-latest version: "1.6" arch: x64 - env: - MINIO_ACCESS_KEY: minio - MINIO_SECRET_KEY: minio123 - MINIO_REGION_NAME: aregion steps: - uses: actions/checkout@v2 - name: Assume AWS role @@ -45,6 +41,12 @@ jobs: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/AWS.jl aws-region: us-east-1 - name: MinIO server setup + if: runner.os != 'Windows' + env: + MINIO_ACCESS_KEY: minio + MINIO_SECRET_KEY: minio123 + MINIO_REGION_NAME: aregion + shell: bash run: | case "$RUNNER_OS" in Linux) @@ -58,10 +60,11 @@ jobs: exit 1 ;; esac - curl -LO "https://dl.minio.io/server/minio/release/${host_os}/minio" + curl -sSLO "https://dl.minio.io/server/minio/release/${host_os}/minio" mkdir data chmod +x ./minio ./minio server --compat --quiet data 2>&1 > minio.log & + env | grep ^MINIO_ | tee -a "$GITHUB_ENV" - uses: julia-actions/setup-julia@v1 with: version: ${{ matrix.version }} diff --git a/Project.toml b/Project.toml index 87ecfdf242..d63e38fa22 100644 --- a/Project.toml +++ b/Project.toml @@ -1,7 +1,7 @@ name = "AWS" uuid = "fbe9abb3-538b-5e4e-ba9e-bc94f4f92ebc" license = "MIT" -version = "1.89.0" +version = "1.89.1" [deps] Base64 = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f" diff --git a/src/utilities/role.jl b/src/utilities/role.jl index 6997abc42d..35e5aa158a 100644 --- a/src/utilities/role.jl +++ b/src/utilities/role.jl @@ -81,7 +81,7 @@ function assume_role_creds( else params["RoleSessionName"] = _role_session_name( "AWS.jl-", - ENV["USER"], + _whoami(), "-" * Dates.format(now(UTC), dateformat"yyyymmdd\THHMMSS\Z"), ) end @@ -128,3 +128,15 @@ function assume_role_creds( renew, ) end + +""" + _whoami() -> AbstractString + +The identity of the current user (i.e. effective user name). May differ from the +logged in user if the current user has been assumed, perhaps by means of `su`. + +Note that the environmental variables `USER` or `USERNAME` are +[not Bash built-in variables](https://tldp.org/LDP/abs/html/internalvariables.html#AMIROOT) +and by default are not present in containers. +""" +_whoami() = readchomp(`id -un`) # The `whoami` utility is marked as obsolete diff --git a/test/role.jl b/test/role.jl index 986257a018..47cb471914 100644 --- a/test/role.jl +++ b/test/role.jl @@ -16,6 +16,12 @@ end get_assumed_role(creds::AWSCredentials) = get_assumed_role(AWSConfig(; creds)) +@testset "_whoami" begin + user = AWS._whoami() + @test user isa AbstractString + @test !isempty(user) +end + @testset "assume_role / assume_role_creds" begin # In order to mitigate the effects of using `assume_role` in order to test itself we'll # use the lowest-level call with as many defaults as possible. @@ -54,21 +60,23 @@ get_assumed_role(creds::AWSCredentials) = get_assumed_role(AWSConfig(; creds)) end @testset "duration" begin - drift = Second(1) + # Have seen up to 3 seconds of drift on CI jobs + drift = Second(5) creds = assume_role_creds(config, role_a; duration=nothing) t = floor(now(UTC), Second) @test t <= creds.expiry <= t + Second(3600) + drift - creds = assume_role_creds(config, role_a; duration=900) + duration = 900 # Minimum allowed duration + creds = assume_role_creds(config, role_a; duration) t = floor(now(UTC), Second) - @test t <= creds.expiry <= t + Second(900) + drift + @test t <= creds.expiry <= t + Second(duration) + drift end @testset "session_name" begin - session_prefix = "AWS.jl-" * ENV["USER"] + session_prefix = "AWS.jl-" creds = assume_role_creds(config, role_a; session_name=nothing) - regex = r":assumed-role/" * (role_a * '/' * session_prefix) * r"-\d{8}T\d{6}Z$" + regex = r":assumed-role/" * (role_a * '/' * session_prefix) * r".*-\d{8}T\d{6}Z$" @test contains(creds.user_arn, regex) @test get_assumed_role(creds) == role_a