1 files changed, 433 insertions, 0 deletions
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go
new file mode 100644
index 0000000..c5153c4
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go
@@ -0,0 +1,433 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "bufio"
+        "context"
+        "errors"
+        "fmt"
+        "io"
+        "net"
+        "net/http"
+        "net/url"
+        "os"
+        "path"
+        "strings"
+        "time"
+        jsoniter "github.com/json-iterator/go"
+)
+// DefaultExpiryWindow - Default expiry window.
+// ExpiryWindow will allow the credentials to trigger refreshing
+// prior to the credentials actually expiring. This is beneficial
+// so race conditions with expiring credentials do not cause
+// request to fail unexpectedly due to ExpiredTokenException exceptions.
+// DefaultExpiryWindow can be used as parameter to (*Expiry).SetExpiration.
+// When used the tokens refresh will be triggered when 80% of the elapsed
+// time until the actual expiration time is passed.
+const DefaultExpiryWindow = -1
+// A IAM retrieves credentials from the EC2 service, and keeps track if
+// those credentials are expired.
+type IAM struct {
+        Expiry
+        // Required http Client to use when connecting to IAM metadata service.
+        Client *http.Client
+        // Custom endpoint to fetch IAM role credentials.
+        Endpoint string
+        // Region configurable custom region for STS
+        Region string
+        // Support for container authorization token https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
+        Container struct {
+                AuthorizationToken     string
+                CredentialsFullURI     string
+                CredentialsRelativeURI string
+        }
+        // EKS based k8s RBAC authorization - https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html
+        EKSIdentity struct {
+                TokenFile       string
+                RoleARN         string
+                RoleSessionName string
+        }
+}
+// IAM Roles for Amazon EC2
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+const (
+        DefaultIAMRoleEndpoint      = "http://169.254.169.254"
+        DefaultECSRoleEndpoint      = "http://169.254.170.2"
+        DefaultSTSRoleEndpoint      = "https://sts.amazonaws.com"
+        DefaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials/"
+        TokenRequestTTLHeader       = "X-aws-ec2-metadata-token-ttl-seconds"
+        TokenPath                   = "/latest/api/token"
+        TokenTTL                    = "21600"
+        TokenRequestHeader          = "X-aws-ec2-metadata-token"
+)
+// NewIAM returns a pointer to a new Credentials object wrapping the IAM.
+func NewIAM(endpoint string) *Credentials {
+        return New(&IAM{
+                Client: &http.Client{
+                        Transport: http.DefaultTransport,
+                },
+                Endpoint: endpoint,
+        })
+}
+// Retrieve retrieves credentials from the EC2 service.
+// Error will be returned if the request fails, or unable to extract
+// the desired
+func (m *IAM) Retrieve() (Value, error) {
+        token := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN")
+        if token == "" {
+                token = m.Container.AuthorizationToken
+        }
+        relativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
+        if relativeURI == "" {
+                relativeURI = m.Container.CredentialsRelativeURI
+        }
+        fullURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI")
+        if fullURI == "" {
+                fullURI = m.Container.CredentialsFullURI
+        }
+        identityFile := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
+        if identityFile == "" {
+                identityFile = m.EKSIdentity.TokenFile
+        }
+        roleArn := os.Getenv("AWS_ROLE_ARN")
+        if roleArn == "" {
+                roleArn = m.EKSIdentity.RoleARN
+        }
+        roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
+        if roleSessionName == "" {
+                roleSessionName = m.EKSIdentity.RoleSessionName
+        }
+        region := os.Getenv("AWS_REGION")
+        if region == "" {
+                region = m.Region
+        }
+        var roleCreds ec2RoleCredRespBody
+        var err error
+        endpoint := m.Endpoint
+        switch {
+        case identityFile != "":
+                if len(endpoint) == 0 {
+                        if region != "" {
+                                if strings.HasPrefix(region, "cn-") {
+                                        endpoint = "https://sts." + region + ".amazonaws.com.cn"
+                                } else {
+                                        endpoint = "https://sts." + region + ".amazonaws.com"
+                                }
+                        } else {
+                                endpoint = DefaultSTSRoleEndpoint
+                        }
+                }
+                creds := &STSWebIdentity{
+                        Client:      m.Client,
+                        STSEndpoint: endpoint,
+                        GetWebIDTokenExpiry: func() (*WebIdentityToken, error) {
+                                token, err := os.ReadFile(identityFile)
+                                if err != nil {
+                                        return nil, err
+                                }
+                                return &WebIdentityToken{Token: string(token)}, nil
+                        },
+                        RoleARN:         roleArn,
+                        roleSessionName: roleSessionName,
+                }
+                stsWebIdentityCreds, err := creds.Retrieve()
+                if err == nil {
+                        m.SetExpiration(creds.Expiration(), DefaultExpiryWindow)
+                }
+                return stsWebIdentityCreds, err
+        case relativeURI != "":
+                if len(endpoint) == 0 {
+                        endpoint = fmt.Sprintf("%s%s", DefaultECSRoleEndpoint, relativeURI)
+                }
+                roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
+        case fullURI != "":
+                if len(endpoint) == 0 {
+                        endpoint = fullURI
+                        var ok bool
+                        if ok, err = isLoopback(endpoint); !ok {
+                                if err == nil {
+                                        err = fmt.Errorf("uri host is not a loopback address: %s", endpoint)
+                                }
+                                break
+                        }
+                }
+                roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
+        default:
+                roleCreds, err = getCredentials(m.Client, endpoint)
+        }
+        if err != nil {
+                return Value{}, err
+        }
+        // Expiry window is set to 10secs.
+        m.SetExpiration(roleCreds.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     roleCreds.AccessKeyID,
+                SecretAccessKey: roleCreds.SecretAccessKey,
+                SessionToken:    roleCreds.Token,
+                SignerType:      SignatureV4,
+        }, nil
+}
+// A ec2RoleCredRespBody provides the shape for unmarshaling credential
+// request responses.
+type ec2RoleCredRespBody struct {
+        // Success State
+        Expiration      time.Time
+        AccessKeyID     string
+        SecretAccessKey string
+        Token           string
+        // Error state
+        Code    string
+        Message string
+        // Unused params.
+        LastUpdated time.Time
+        Type        string
+}
+// Get the final IAM role URL where the request will
+// be sent to fetch the rolling access credentials.
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+func getIAMRoleURL(endpoint string) (*url.URL, error) {
+        u, err := url.Parse(endpoint)
+        if err != nil {
+                return nil, err
+        }
+        u.Path = DefaultIAMSecurityCredsPath
+        return u, nil
+}
+// listRoleNames lists of credential role names associated
+// with the current EC2 service. If there are no credentials,
+// or there is an error making or receiving the request.
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+func listRoleNames(client *http.Client, u *url.URL, token string) ([]string, error) {
+        req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+        if err != nil {
+                return nil, err
+        }
+        if token != "" {
+                req.Header.Add(TokenRequestHeader, token)
+        }
+        resp, err := client.Do(req)
+        if err != nil {
+                return nil, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                return nil, errors.New(resp.Status)
+        }
+        credsList := []string{}
+        s := bufio.NewScanner(resp.Body)
+        for s.Scan() {
+                credsList = append(credsList, s.Text())
+        }
+        if err := s.Err(); err != nil {
+                return nil, err
+        }
+        return credsList, nil
+}
+func getEcsTaskCredentials(client *http.Client, endpoint, token string) (ec2RoleCredRespBody, error) {
+        req, err := http.NewRequest(http.MethodGet, endpoint, nil)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if token != "" {
+                req.Header.Set("Authorization", token)
+        }
+        resp, err := client.Do(req)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                return ec2RoleCredRespBody{}, errors.New(resp.Status)
+        }
+        respCreds := ec2RoleCredRespBody{}
+        if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        return respCreds, nil
+}
+func fetchIMDSToken(client *http.Client, endpoint string) (string, error) {
+        ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+        defer cancel()
+        req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint+TokenPath, nil)
+        if err != nil {
+                return "", err
+        }
+        req.Header.Add(TokenRequestTTLHeader, TokenTTL)
+        resp, err := client.Do(req)
+        if err != nil {
+                return "", err
+        }
+        defer resp.Body.Close()
+        data, err := io.ReadAll(resp.Body)
+        if err != nil {
+                return "", err
+        }
+        if resp.StatusCode != http.StatusOK {
+                return "", errors.New(resp.Status)
+        }
+        return string(data), nil
+}
+// getCredentials - obtains the credentials from the IAM role name associated with
+// the current EC2 service.
+//
+// If the credentials cannot be found, or there is an error
+// reading the response an error will be returned.
+func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) {
+        if endpoint == "" {
+                endpoint = DefaultIAMRoleEndpoint
+        }
+        // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
+        token, err := fetchIMDSToken(client, endpoint)
+        if err != nil {
+                // Return only errors for valid situations, if the IMDSv2 is not enabled
+                // we will not be able to get the token, in such a situation we have
+                // to rely on IMDSv1 behavior as a fallback, this check ensures that.
+                // Refer https://github.com/minio/minio-go/issues/1866
+                if !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) {
+                        return ec2RoleCredRespBody{}, err
+                }
+        }
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        u, err := getIAMRoleURL(endpoint)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        roleNames, err := listRoleNames(client, u, token)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if len(roleNames) == 0 {
+                return ec2RoleCredRespBody{}, errors.New("No IAM roles attached to this EC2 service")
+        }
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        // - An instance profile can contain only one IAM role. This limit cannot be increased.
+        roleName := roleNames[0]
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        // The following command retrieves the security credentials for an
+        // IAM role named `s3access`.
+        //
+        //    $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
+        //
+        u.Path = path.Join(u.Path, roleName)
+        req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if token != "" {
+                req.Header.Add(TokenRequestHeader, token)
+        }
+        resp, err := client.Do(req)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                return ec2RoleCredRespBody{}, errors.New(resp.Status)
+        }
+        respCreds := ec2RoleCredRespBody{}
+        if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if respCreds.Code != "Success" {
+                // If an error code was returned something failed requesting the role.
+                return ec2RoleCredRespBody{}, errors.New(respCreds.Message)
+        }
+        return respCreds, nil
+}
+// isLoopback identifies if a uri's host is on a loopback address
+func isLoopback(uri string) (bool, error) {
+        u, err := url.Parse(uri)
+        if err != nil {
+                return false, err
+        }
+        host := u.Hostname()
+        if len(host) == 0 {
+                return false, fmt.Errorf("can't parse host from uri: %s", uri)
+        }
+        ips, err := net.LookupHost(host)
+        if err != nil {
+                return false, err
+        }
+        for _, ip := range ips {
+                if !net.ParseIP(ip).IsLoopback() {
+                        return false, nil
+                }
+        }
+        return true, nil
+}

diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go new file mode 100644 index 0000000..c5153c4 --- /dev/null +++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go
@@ -0,0 +1,433 @@
	1	/*
	2	* MinIO Go Library for Amazon S3 Compatible Cloud Storage
	3	* Copyright 2017 MinIO, Inc.
	4	*
	5	* Licensed under the Apache License, Version 2.0 (the "License");
	6	* you may not use this file except in compliance with the License.
	7	* You may obtain a copy of the License at
	8	*
	9	* http://www.apache.org/licenses/LICENSE-2.0
	10	*
	11	* Unless required by applicable law or agreed to in writing, software
	12	* distributed under the License is distributed on an "AS IS" BASIS,
	13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	* See the License for the specific language governing permissions and
	15	* limitations under the License.
	16	*/
	17
	18	package credentials
	19
	20	import (
	21	"bufio"
	22	"context"
	23	"errors"
	24	"fmt"
	25	"io"
	26	"net"
	27	"net/http"
	28	"net/url"
	29	"os"
	30	"path"
	31	"strings"
	32	"time"
	33
	34	jsoniter "github.com/json-iterator/go"
	35	)
	36
	37	// DefaultExpiryWindow - Default expiry window.
	38	// ExpiryWindow will allow the credentials to trigger refreshing
	39	// prior to the credentials actually expiring. This is beneficial
	40	// so race conditions with expiring credentials do not cause
	41	// request to fail unexpectedly due to ExpiredTokenException exceptions.
	42	// DefaultExpiryWindow can be used as parameter to (*Expiry).SetExpiration.
	43	// When used the tokens refresh will be triggered when 80% of the elapsed
	44	// time until the actual expiration time is passed.
	45	const DefaultExpiryWindow = -1
	46
	47	// A IAM retrieves credentials from the EC2 service, and keeps track if
	48	// those credentials are expired.
	49	type IAM struct {
	50	Expiry
	51
	52	// Required http Client to use when connecting to IAM metadata service.
	53	Client *http.Client
	54
	55	// Custom endpoint to fetch IAM role credentials.
	56	Endpoint string
	57
	58	// Region configurable custom region for STS
	59	Region string
	60
	61	// Support for container authorization token https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
	62	Container struct {
	63	AuthorizationToken string
	64	CredentialsFullURI string
	65	CredentialsRelativeURI string
	66	}
	67
	68	// EKS based k8s RBAC authorization - https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html
	69	EKSIdentity struct {
	70	TokenFile string
	71	RoleARN string
	72	RoleSessionName string
	73	}
	74	}
	75
	76	// IAM Roles for Amazon EC2
	77	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
	78	const (
	79	DefaultIAMRoleEndpoint = "http://169.254.169.254"
	80	DefaultECSRoleEndpoint = "http://169.254.170.2"
	81	DefaultSTSRoleEndpoint = "https://sts.amazonaws.com"
	82	DefaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials/"
	83	TokenRequestTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
	84	TokenPath = "/latest/api/token"
	85	TokenTTL = "21600"
	86	TokenRequestHeader = "X-aws-ec2-metadata-token"
	87	)
	88
	89	// NewIAM returns a pointer to a new Credentials object wrapping the IAM.
	90	func NewIAM(endpoint string) *Credentials {
	91	return New(&IAM{
	92	Client: &http.Client{
	93	Transport: http.DefaultTransport,
	94	},
	95	Endpoint: endpoint,
	96	})
	97	}
	98
	99	// Retrieve retrieves credentials from the EC2 service.
	100	// Error will be returned if the request fails, or unable to extract
	101	// the desired
	102	func (m *IAM) Retrieve() (Value, error) {
	103	token := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN")
	104	if token == "" {
	105	token = m.Container.AuthorizationToken
	106	}
	107
	108	relativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
	109	if relativeURI == "" {
	110	relativeURI = m.Container.CredentialsRelativeURI
	111	}
	112
	113	fullURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI")
	114	if fullURI == "" {
	115	fullURI = m.Container.CredentialsFullURI
	116	}
	117
	118	identityFile := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
	119	if identityFile == "" {
	120	identityFile = m.EKSIdentity.TokenFile
	121	}
	122
	123	roleArn := os.Getenv("AWS_ROLE_ARN")
	124	if roleArn == "" {
	125	roleArn = m.EKSIdentity.RoleARN
	126	}
	127
	128	roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
	129	if roleSessionName == "" {
	130	roleSessionName = m.EKSIdentity.RoleSessionName
	131	}
	132
	133	region := os.Getenv("AWS_REGION")
	134	if region == "" {
	135	region = m.Region
	136	}
	137
	138	var roleCreds ec2RoleCredRespBody
	139	var err error
	140
	141	endpoint := m.Endpoint
	142	switch {
	143	case identityFile != "":
	144	if len(endpoint) == 0 {
	145	if region != "" {
	146	if strings.HasPrefix(region, "cn-") {
	147	endpoint = "https://sts." + region + ".amazonaws.com.cn"
	148	} else {
	149	endpoint = "https://sts." + region + ".amazonaws.com"
	150	}
	151	} else {
	152	endpoint = DefaultSTSRoleEndpoint
	153	}
	154	}
	155
	156	creds := &STSWebIdentity{
	157	Client: m.Client,
	158	STSEndpoint: endpoint,
	159	GetWebIDTokenExpiry: func() (*WebIdentityToken, error) {
	160	token, err := os.ReadFile(identityFile)
	161	if err != nil {
	162	return nil, err
	163	}
	164
	165	return &WebIdentityToken{Token: string(token)}, nil
	166	},
	167	RoleARN: roleArn,
	168	roleSessionName: roleSessionName,
	169	}
	170
	171	stsWebIdentityCreds, err := creds.Retrieve()
	172	if err == nil {
	173	m.SetExpiration(creds.Expiration(), DefaultExpiryWindow)
	174	}
	175	return stsWebIdentityCreds, err
	176
	177	case relativeURI != "":
	178	if len(endpoint) == 0 {
	179	endpoint = fmt.Sprintf("%s%s", DefaultECSRoleEndpoint, relativeURI)
	180	}
	181
	182	roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
	183
	184	case fullURI != "":
	185	if len(endpoint) == 0 {
	186	endpoint = fullURI
	187	var ok bool
	188	if ok, err = isLoopback(endpoint); !ok {
	189	if err == nil {
	190	err = fmt.Errorf("uri host is not a loopback address: %s", endpoint)
	191	}
	192	break
	193	}
	194	}
	195
	196	roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
	197
	198	default:
	199	roleCreds, err = getCredentials(m.Client, endpoint)
	200	}
	201
	202	if err != nil {
	203	return Value{}, err
	204	}
	205	// Expiry window is set to 10secs.
	206	m.SetExpiration(roleCreds.Expiration, DefaultExpiryWindow)
	207
	208	return Value{
	209	AccessKeyID: roleCreds.AccessKeyID,
	210	SecretAccessKey: roleCreds.SecretAccessKey,
	211	SessionToken: roleCreds.Token,
	212	SignerType: SignatureV4,
	213	}, nil
	214	}
	215
	216	// A ec2RoleCredRespBody provides the shape for unmarshaling credential
	217	// request responses.
	218	type ec2RoleCredRespBody struct {
	219	// Success State
	220	Expiration time.Time
	221	AccessKeyID string
	222	SecretAccessKey string
	223	Token string
	224
	225	// Error state
	226	Code string
	227	Message string
	228
	229	// Unused params.
	230	LastUpdated time.Time
	231	Type string
	232	}
	233
	234	// Get the final IAM role URL where the request will
	235	// be sent to fetch the rolling access credentials.
	236	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
	237	func getIAMRoleURL(endpoint string) (*url.URL, error) {
	238	u, err := url.Parse(endpoint)
	239	if err != nil {
	240	return nil, err
	241	}
	242	u.Path = DefaultIAMSecurityCredsPath
	243	return u, nil
	244	}
	245
	246	// listRoleNames lists of credential role names associated
	247	// with the current EC2 service. If there are no credentials,
	248	// or there is an error making or receiving the request.
	249	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
	250	func listRoleNames(client http.Client, u url.URL, token string) ([]string, error) {
	251	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
	252	if err != nil {
	253	return nil, err
	254	}
	255	if token != "" {
	256	req.Header.Add(TokenRequestHeader, token)
	257	}
	258	resp, err := client.Do(req)
	259	if err != nil {
	260	return nil, err
	261	}
	262	defer resp.Body.Close()
	263	if resp.StatusCode != http.StatusOK {
	264	return nil, errors.New(resp.Status)
	265	}
	266
	267	credsList := []string{}
	268	s := bufio.NewScanner(resp.Body)
	269	for s.Scan() {
	270	credsList = append(credsList, s.Text())
	271	}
	272
	273	if err := s.Err(); err != nil {
	274	return nil, err
	275	}
	276
	277	return credsList, nil
	278	}
	279
	280	func getEcsTaskCredentials(client *http.Client, endpoint, token string) (ec2RoleCredRespBody, error) {
	281	req, err := http.NewRequest(http.MethodGet, endpoint, nil)
	282	if err != nil {
	283	return ec2RoleCredRespBody{}, err
	284	}
	285
	286	if token != "" {
	287	req.Header.Set("Authorization", token)
	288	}
	289
	290	resp, err := client.Do(req)
	291	if err != nil {
	292	return ec2RoleCredRespBody{}, err
	293	}
	294	defer resp.Body.Close()
	295	if resp.StatusCode != http.StatusOK {
	296	return ec2RoleCredRespBody{}, errors.New(resp.Status)
	297	}
	298
	299	respCreds := ec2RoleCredRespBody{}
	300	if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
	301	return ec2RoleCredRespBody{}, err
	302	}
	303
	304	return respCreds, nil
	305	}
	306
	307	func fetchIMDSToken(client *http.Client, endpoint string) (string, error) {
	308	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
	309	defer cancel()
	310
	311	req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint+TokenPath, nil)
	312	if err != nil {
	313	return "", err
	314	}
	315	req.Header.Add(TokenRequestTTLHeader, TokenTTL)
	316	resp, err := client.Do(req)
	317	if err != nil {
	318	return "", err
	319	}
	320	defer resp.Body.Close()
	321	data, err := io.ReadAll(resp.Body)
	322	if err != nil {
	323	return "", err
	324	}
	325	if resp.StatusCode != http.StatusOK {
	326	return "", errors.New(resp.Status)
	327	}
	328	return string(data), nil
	329	}
	330
	331	// getCredentials - obtains the credentials from the IAM role name associated with
	332	// the current EC2 service.
	333	//
	334	// If the credentials cannot be found, or there is an error
	335	// reading the response an error will be returned.
	336	func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) {
	337	if endpoint == "" {
	338	endpoint = DefaultIAMRoleEndpoint
	339	}
	340
	341	// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
	342	token, err := fetchIMDSToken(client, endpoint)
	343	if err != nil {
	344	// Return only errors for valid situations, if the IMDSv2 is not enabled
	345	// we will not be able to get the token, in such a situation we have
	346	// to rely on IMDSv1 behavior as a fallback, this check ensures that.
	347	// Refer https://github.com/minio/minio-go/issues/1866
	348	if !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) {
	349	return ec2RoleCredRespBody{}, err
	350	}
	351	}
	352
	353	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
	354	u, err := getIAMRoleURL(endpoint)
	355	if err != nil {
	356	return ec2RoleCredRespBody{}, err
	357	}
	358
	359	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
	360	roleNames, err := listRoleNames(client, u, token)
	361	if err != nil {
	362	return ec2RoleCredRespBody{}, err
	363	}
	364
	365	if len(roleNames) == 0 {
	366	return ec2RoleCredRespBody{}, errors.New("No IAM roles attached to this EC2 service")
	367	}
	368
	369	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
	370	// - An instance profile can contain only one IAM role. This limit cannot be increased.
	371	roleName := roleNames[0]
	372
	373	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
	374	// The following command retrieves the security credentials for an
	375	// IAM role named `s3access`.
	376	//
	377	// $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
	378	//
	379	u.Path = path.Join(u.Path, roleName)
	380	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
	381	if err != nil {
	382	return ec2RoleCredRespBody{}, err
	383	}
	384	if token != "" {
	385	req.Header.Add(TokenRequestHeader, token)
	386	}
	387
	388	resp, err := client.Do(req)
	389	if err != nil {
	390	return ec2RoleCredRespBody{}, err
	391	}
	392	defer resp.Body.Close()
	393	if resp.StatusCode != http.StatusOK {
	394	return ec2RoleCredRespBody{}, errors.New(resp.Status)
	395	}
	396
	397	respCreds := ec2RoleCredRespBody{}
	398	if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
	399	return ec2RoleCredRespBody{}, err
	400	}
	401
	402	if respCreds.Code != "Success" {
	403	// If an error code was returned something failed requesting the role.
	404	return ec2RoleCredRespBody{}, errors.New(respCreds.Message)
	405	}
	406
	407	return respCreds, nil
	408	}
	409
	410	// isLoopback identifies if a uri's host is on a loopback address
	411	func isLoopback(uri string) (bool, error) {
	412	u, err := url.Parse(uri)
	413	if err != nil {
	414	return false, err
	415	}
	416
	417	host := u.Hostname()
	418	if len(host) == 0 {
	419	return false, fmt.Errorf("can't parse host from uri: %s", uri)
	420	}
	421
	422	ips, err := net.LookupHost(host)
	423	if err != nil {
	424	return false, err
	425	}
	426	for _, ip := range ips {
	427	if !net.ParseIP(ip).IsLoopback() {
	428	return false, nil
	429	}
	430	}
	431
	432	return true, nil
	433	}