-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicit profile overrides environment variables #486
Merged
+164
−8
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
cfc5a92
Explicit profile overrides environment variables
danielgtaylor 856eaec
Add integration tests
danielgtaylor ae1f175
Switch message to debug instead of info
danielgtaylor 616f70c
Do not modify global state in tests
danielgtaylor d7cd6d2
Remove unneeded mock
danielgtaylor d17c52d
Add unit tests for explicit profile
danielgtaylor d0e7add
Switch to any/all checks
danielgtaylor File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| [default] | ||
| aws_access_key_id = default | ||
| aws_secret_access_key = default-secret | ||
|
|
||
| [test] | ||
| aws_access_key_id = test | ||
| aws_secret_access_key = test-secret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| # Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"). You | ||
| # may not use this file except in compliance with the License. A copy of | ||
| # the License is located at | ||
| # | ||
| # http://aws.amazon.com/apache2.0/ | ||
| # | ||
| # or in the "license" file accompanying this file. This file is | ||
| # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF | ||
| # ANY KIND, either express or implied. See the License for the specific | ||
| # language governing permissions and limitations under the License. | ||
|
|
||
| import os | ||
| import mock | ||
|
|
||
| from botocore.session import Session | ||
| from tests import BaseEnvVar | ||
|
|
||
|
|
||
| class TestCredentialPrecedence(BaseEnvVar): | ||
| def setUp(self): | ||
| super(TestCredentialPrecedence, self).setUp() | ||
|
|
||
| # Set the config file to something that doesn't exist so | ||
| # that we don't accidentally load a config. | ||
| os.environ['AWS_CONFIG_FILE'] = '~/.aws/config-missing' | ||
|
|
||
| def create_session(self, *args, **kwargs): | ||
| """ | ||
| Create a new session with the given arguments. Additionally, | ||
| this method will set the credentials file to the test credentials | ||
| used by the following test cases. | ||
| """ | ||
| kwargs['session_vars'] = { | ||
| 'credentials_file': ( | ||
| None, None, | ||
| os.path.join(os.path.dirname(__file__), 'test-credentials')) | ||
| } | ||
|
|
||
| return Session(*args, **kwargs) | ||
|
|
||
| def test_access_secret_vs_profile_env(self): | ||
| # If all three are given, then the access/secret keys should | ||
| # take precedence. | ||
| os.environ['AWS_ACCESS_KEY_ID'] = 'env' | ||
| os.environ['AWS_SECRET_ACCESS_KEY'] = 'env-secret' | ||
| os.environ['BOTO_DEFAULT_PROFILE'] = 'test' | ||
|
|
||
| s = self.create_session() | ||
| credentials = s.get_credentials() | ||
|
|
||
| self.assertEqual(credentials.access_key, 'env') | ||
| self.assertEqual(credentials.secret_key, 'env-secret') | ||
|
|
||
| @mock.patch('botocore.credentials.Credentials') | ||
| def test_access_secret_vs_profile_code(self, credentials_cls): | ||
| # If all three are given, then the access/secret keys should | ||
| # take precedence. | ||
| s = self.create_session() | ||
| s.profile = 'test' | ||
|
|
||
| client = s.create_client('s3', aws_access_key_id='code', | ||
| aws_secret_access_key='code-secret') | ||
|
|
||
| credentials_cls.assert_called_with( | ||
| access_key='code', secret_key='code-secret', token=mock.ANY) | ||
|
|
||
| def test_profile_env_vs_code(self): | ||
| # If the profile is set both by the env var and by code, | ||
| # then the one set by code should take precedence. | ||
| os.environ['BOTO_DEFAULT_PROFILE'] = 'test' | ||
| s = self.create_session() | ||
| s.profile = 'default' | ||
|
|
||
| credentials = s.get_credentials() | ||
|
|
||
| self.assertEqual(credentials.access_key, 'default') | ||
| self.assertEqual(credentials.secret_key, 'default-secret') | ||
|
|
||
| @mock.patch('botocore.credentials.Credentials') | ||
| def test_access_secret_env_vs_code(self, credentials_cls): | ||
| # If the access/secret keys are set both as env vars and via | ||
| # code, then those set by code should take precedence. | ||
| os.environ['AWS_ACCESS_KEY_ID'] = 'env' | ||
| os.environ['AWS_SECRET_ACCESS_KEY'] = 'secret' | ||
| s = self.create_session() | ||
|
|
||
| client = s.create_client('s3', aws_access_key_id='code', | ||
| aws_secret_access_key='code-secret') | ||
|
|
||
| credentials_cls.assert_called_with( | ||
| access_key='code', secret_key='code-secret', token=mock.ANY) | ||
|
|
||
| def test_access_secret_env_vs_profile_code(self): | ||
| # If access/secret keys are set in the environment, but then a | ||
| # specific profile is passed via code, then the access/secret | ||
| # keys defined in that profile should take precedence over | ||
| # the environment variables. Example: | ||
| # | ||
| # ``aws --profile dev s3 ls`` | ||
| # | ||
| os.environ['AWS_ACCESS_KEY_ID'] = 'env' | ||
| os.environ['AWS_SECRET_ACCESS_KEY'] = 'env-secret' | ||
| s = self.create_session() | ||
| s.profile = 'test' | ||
|
|
||
| credentials = s.get_credentials() | ||
|
|
||
| self.assertEqual(credentials.access_key, 'test') | ||
| self.assertEqual(credentials.secret_key, 'test-secret') | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not really a fan of patching, especially when it's not necessary. Why can't we just check the credential object directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately this isn't exposed anywhere in clients. There is no way to get the credentials using public interfaces once a client is created. I'm not opposed to adding a
meta.credentialsproperty or something on clients, but I figured there would be push-back if I add this just for a test.