From b8cbeee8643e809c7818f0d8d02a6081bd2d49ac Mon Sep 17 00:00:00 2001 From: Paul Otto Date: Tue, 3 Jul 2018 05:43:05 -0600 Subject: [PATCH] Change GetAccountID to first try using caller identity for accountid. --- aws/auth_helpers.go | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/aws/auth_helpers.go b/aws/auth_helpers.go index 50221f56f43..5f65a47c45b 100644 --- a/aws/auth_helpers.go +++ b/aws/auth_helpers.go @@ -25,6 +25,16 @@ import ( func GetAccountID(iamconn *iam.IAM, stsconn *sts.STS, authProviderName string) (string, error) { var errors error + + // First, try STS GetCallerIdentity + log.Println("[DEBUG] Trying to get account ID via sts:GetCallerIdentity") + outCallerIdentity, err := stsconn.GetCallerIdentity(&sts.GetCallerIdentityInput{}) + if err == nil { + return parseAccountIDFromArn(*outCallerIdentity.Arn) + } + log.Printf("[DEBUG] Getting account ID via sts:GetCallerIdentity failed: %s", err) + errors = multierror.Append(errors, err) + // If we have creds from instance profile, we can use metadata API if authProviderName == ec2rolecreds.ProviderName { log.Println("[DEBUG] Trying to get account ID via AWS Metadata API") @@ -67,15 +77,6 @@ func GetAccountID(iamconn *iam.IAM, stsconn *sts.STS, authProviderName string) ( log.Printf("[DEBUG] Getting account ID via iam:GetUser failed: %s", err) } - // Then try STS GetCallerIdentity - log.Println("[DEBUG] Trying to get account ID via sts:GetCallerIdentity") - outCallerIdentity, err := stsconn.GetCallerIdentity(&sts.GetCallerIdentityInput{}) - if err == nil { - return parseAccountIDFromArn(*outCallerIdentity.Arn) - } - log.Printf("[DEBUG] Getting account ID via sts:GetCallerIdentity failed: %s", err) - errors = multierror.Append(errors, err) - // Then try IAM ListRoles log.Println("[DEBUG] Trying to get account ID via iam:ListRoles") outRoles, err := iamconn.ListRoles(&iam.ListRolesInput{