Go AWS testing for invalid login

0
votes

Using Golang with go-aws-sdk and having some issues catching invalid session credentials.

Using the shared credential files in ~/.aws/{config, credentials}

Sess, err := session.NewSessionWithOptions(session.Options{
    Profile: instance.Config.AWS.AWSProfile,
})

Works fine when the credentials are valid, but if I use an invalid aws_access_key_id in the credentials file, I need a way to detect this with my AWSLogin() func.

What's happening is any subsequent calls to an AWS service raises a panic when using Sess above.

How can I detect a failed login with the above NewSessionWithOptions() method?

UPDATE: yes, the error type is nil, so the following is of no use:

 if err != nil {
        return nil, fmt.Errorf("Error logging into AWS: %v", err.Error())
    }
2
amazon-web-servicesgo
Maybe you can use a dummy call and recover? This way you can at least catch the error on something you know should work in most cases.kichik
I was also mentally going down this path.. We use the least privilege model though so I'm wondering which service I can make a call to that every account should have access to?buildmaestro
Try getting the user id like stackoverflow.com/q/33332050/492773kichik
@kichik I ended up testing by listing a known S3 bucket this instance will privedges for. I had the code on hand, but I feel like iam.currentUser as you mentioned would be better.buildmaestro
Check this other question: stackoverflow.com/questions/33068055/…razimbres

2 Answers

0
votes

So you would have to check for invalid errors after making a call to aws. Try and use Credentials.Get() and see if err != nil

0
votes

Here's what I ended up doing. Test that credentials are loaded, test a known service such as an S3 bucket this application needs access to. 

// login to AWS
AWSProfile := "default"
fmt.Printf("Using AWS Profile: %v\n", instance.Config.AWS.AWSProfile)
Sess, err := session.NewSessionWithOptions(session.Options{
    Profile: AWSProfile,
})
if err != nil {
    return fmt.Errorf("Error logging into AWS: %v", err.Error())
}

// attempt to load config (e.g. env variables, shared config, instance profile) 
// log which AWS API Key is being used
svc := s3.New(Sess)
credentials, err := svc.Config.Credentials.Get()
if err != nil {
    return errors.New("Error logging into AWS. Check Credentials.")
}
fmt.Printf("Using Access Key ID: (%v)\n", credentials.AccessKeyID)
bucketName := "s3bucketname"

// test the login can access a typical aws service (s3) and known bucket 
params := &s3.ListObjectsInput {
    Bucket: aws.String(bucketName),
}
resp, _ := svc.ListObjects(params)

if len(resp.Contents) < 1 {
    return nil, fmt.Errorf("Error logging into AWS. Can not access bucket (%v). Check Credentials.", bucketName)
}