Remove config validtion. Debug logs show which credential source is used

99designs · Mar 9, 2023 · cda0841 · cda0841
1 parent 73bd342
commit cda0841
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 94 deletions.
diff --git a/vault/config.go b/vault/config.go
@@ -680,35 +680,3 @@ func (c *ProfileConfig) GetSessionTokenDuration() time.Duration {
 	}
 	return c.NonChainedGetSessionTokenDuration
 }
-
-func (c *ProfileConfig) Validate() error {
-	if c.HasSSOSession() && !c.HasSSOStartURL() {
-		return fmt.Errorf("profile '%s' has sso_session but no sso_start_url", c.ProfileName)
-	}
-
-	n := 0
-	if c.HasSSOStartURL() {
-		n++
-	}
-	if c.HasWebIdentity() {
-		n++
-	}
-	if c.HasCredentialProcess() {
-		n++
-	}
-	if c.HasSourceProfile() {
-		n++
-	}
-	if c.HasRole() &&
-		// these cases require the role to be set in addition, so it's part of
-		// their credential.
-		!c.HasSourceProfile() &&
-		!c.HasWebIdentity() {
-		n++
-	}
-	if n > 1 {
-		return fmt.Errorf("profile '%s' has more than one source of credentials", c.ProfileName)
-	}
-
-	return nil
-}
diff --git a/vault/config_test.go b/vault/config_test.go
@@ -616,49 +616,3 @@ source_profile = interim
 		t.Fatalf("Expected transitive_session_tags to be empty, got %+v", baseConfig.TransitiveSessionTags)
 	}
 }
-
-func TestValidConfigValidation(t *testing.T) {
-	f := newConfigFile(t, []byte(`
-[profile foo]
-region         = eu-west-1
-mfa_serial     = arn:aws:iam::9999999999999:mfa/david
-
-[profile foo:staging]
-role_arn       = arn:aws:iam::1111111111111:role/admin
-source_profile = foo
-region         = eu-west-2
-mfa_serial     = arn:aws:iam::9999999999999:mfa/david
-
-[profile foo:production]
-role_arn       = arn:aws:iam::1111111111111:role/admin
-source_profile = foo
-region         = eu-west-2
-mfa_serial     = arn:aws:iam::9999999999999:mfa/david
-credential_process = true
-
-[profile withwebidentity]
-role_arn = arn:aws:iam::123457890:role/foo
-web_identity_token_process = oidccli -issuer=https://example.com -client-id=aws -client-secret=localonly raw
-`))
-	defer os.Remove(f)
-	configFile, _ := vault.LoadConfig(f)
-	configLoader := &vault.ConfigLoader{File: configFile}
-
-	config, _ := configLoader.GetProfileConfig("foo:staging")
-	err := config.Validate()
-	if err != nil {
-		t.Fatalf("Should have validated: %v", err)
-	}
-
-	config, _ = configLoader.GetProfileConfig("foo:production")
-	err = config.Validate()
-	if err == nil {
-		t.Fatalf("Should have failed validation: %v", err)
-	}
-
-	config, _ = configLoader.GetProfileConfig("withwebidentity")
-	err = config.Validate()
-	if err != nil {
-		t.Fatalf("Should have validated withwebidentity: %v", err)
-	}
-}
diff --git a/vault/vault.go b/vault/vault.go
@@ -257,24 +257,21 @@ func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig) (sourcecredsPro
 }
 
 func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
-	if err := config.Validate(); err != nil {
-		return nil, err
-	}
-
-	if config.HasSSOStartURL() {
-		log.Printf("profile %s: using SSO role credentials", config.ProfileName)
-		return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
-	}
+	if !t.Keyring.HasStoredCredential(config.ProfileName) {
+		if config.HasSSOStartURL() {
+			log.Printf("profile %s: using SSO role credentials", config.ProfileName)
+			return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		}
 
-	if config.HasWebIdentity() {
-		log.Printf("profile %s: using web identity", config.ProfileName)
-		return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
-	}
+		if config.HasWebIdentity() {
+			log.Printf("profile %s: using web identity", config.ProfileName)
+			return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		}
 
-	storedCredentialForProfile := t.Keyring.HasStoredCredential(config.ProfileName)
-	if !storedCredentialForProfile && config.HasCredentialProcess() {
-		log.Printf("profile %s: using credential process", config.ProfileName)
-		return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		if config.HasCredentialProcess() {
+			log.Printf("profile %s: using credential process", config.ProfileName)
+			return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		}
 	}
 
 	sourcecredsProvider, err := t.getSourceCreds(config)