Merge pull request #1525 from kcbraunschweig/issue1524

Include IAM role in ec2 data (issue #1524)
chef · Oct 14, 2020 · 75d4610 · 75d4610
2 parents b6230ad + 0c11a79
commit 75d4610
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 8 deletions.
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb
@@ -122,11 +122,17 @@ def looks_like_ec2?
       fetch_metadata.each do |k, v|
         # fetch_metadata returns IAM security credentials, including the IAM user's
         # secret access key. We'd rather not have ohai send this information
-        # to the server.
-        # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories
-        next if k == "iam" && !hint?("iam")
-
-        ec2[k] = v
+        # to the server. If the instance is associated with an IAM role we grab
+        # only the "info" key and the IAM role name.
+        # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
+        if k == "iam" && !hint?("iam")
+          ec2[:iam] = v.select { |key, value| key == "info" }
+          if v["security-credentials"] && v["security-credentials"].keys.length == 1
+            ec2[:iam]["role_name"] = v["security-credentials"].keys[0]
+          end
+        else
+          ec2[k] = v
+        end
       end
       ec2[:userdata] = fetch_userdata
       ec2[:account_id] = fetch_dynamic_data["accountId"]

diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb
@@ -240,13 +240,16 @@
         allow(plugin).to receive(:hint?).with("iam").and_return(false)
       end
 
-      it "parses ec2 iam/ directory and NOT collect iam/security-credentials/" do
+      it "parses ec2 iam/ directory and collect info and role_name and NOT collect iam/security-credentials/" do
         expect(@http_client).to receive(:get)
           .with("/2012-01-12/meta-data/")
           .and_return(double("Net::HTTP Response", body: "iam/", code: "200"))
         expect(@http_client).to receive(:get)
           .with("/2012-01-12/meta-data/iam/")
-          .and_return(double("Net::HTTP Response", body: "security-credentials/", code: "200"))
+          .and_return(double("Net::HTTP Response", body: "info\nsecurity-credentials/", code: "200"))
+        expect(@http_client).to receive(:get)
+          .with("/2012-01-12/meta-data/iam/info")
+          .and_return(double("Net::HTTP Response", body: "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2020-10-08T20:47:08Z\",\n  \"InstanceProfileArn\" : \"arn:aws:iam::111111111111:instance-profile/my_profile\",\n  \"InstanceProfileId\" : \"AAAAAAAAAAAAAAAAAAAAA\"\n}", code: "200"))
         expect(@http_client).to receive(:get)
           .with("/2012-01-12/meta-data/iam/security-credentials/")
           .and_return(double("Net::HTTP Response", body: "MyRole", code: "200"))
@@ -263,7 +266,9 @@
         plugin.run
 
         expect(plugin[:ec2]).not_to be_nil
-        expect(plugin[:ec2]["iam"]).to be_nil
+        expect(plugin[:ec2]["iam"]["info"]["InstanceProfileId"]).to eql "AAAAAAAAAAAAAAAAAAAAA"
+        expect(plugin[:ec2]["iam"]["security-credentials"]).to be_nil
+        expect(plugin[:ec2]["iam"]["role_name"]).to eql "MyRole"
       end
     end