Add explicit option for using iam profile for authentication

lib/kitchen/driver/ec2.rb

@@ -29,8 +29,7 @@ module Driver
     #
     # @author Fletcher Nichol <[email protected]>
     class Ec2 < Kitchen::Driver::SSHBase
-
-      extend Fog::AWS::CredentialFetcher::ServiceMethods
+      include Fog::AWS::CredentialFetcher::ServiceMethods
       default_config :region,             'us-east-1'
       default_config :availability_zone,  'us-east-1b'
       default_config :flavor_id,          'm1.small'
@@ -42,13 +41,14 @@ class Ec2 < Kitchen::Driver::SSHBase
       default_config :iam_profile_name,   nil
       default_config :price,   nil
       default_config :aws_access_key_id do |driver|
-        ENV['AWS_ACCESS_KEY'] || ENV['AWS_ACCESS_KEY_ID'] || iam_creds[:aws_access_key_id]
+        ENV['AWS_ACCESS_KEY'] || ENV['AWS_ACCESS_KEY_ID'] || driver.iam_creds[:aws_access_key_id]
       end
       default_config :aws_secret_access_key do |driver|
-        ENV['AWS_SECRET_KEY'] || ENV['AWS_SECRET_ACCESS_KEY'] || iam_creds[:aws_secret_access_key]
+        ENV['AWS_SECRET_KEY'] || ENV['AWS_SECRET_ACCESS_KEY'] ||
+          driver.iam_creds[:aws_secret_access_key]
       end
       default_config :aws_session_token do |driver|
-        ENV['AWS_SESSION_TOKEN'] || ENV['AWS_TOKEN'] || iam_creds[:aws_session_token]
+        driver.default_aws_session_token
       end
       default_config :aws_ssh_key_id do |driver|
         ENV['AWS_SSH_KEY_ID']
@@ -98,10 +98,10 @@ class Ec2 < Kitchen::Driver::SSHBase
         end
       end
 
-      def self.iam_creds
+      def iam_creds
         @iam_creds ||= begin
-          fetch_credentials(use_iam_profile:true)
-        rescue RuntimeError => e
+          fetch_credentials(use_iam_profile: true)
+        rescue RuntimeError, NoMethodError => e
           debug("fetch_credentials failed with exception #{e.message}:#{e.backtrace.join("\n")}")
           {}
         end
@@ -167,6 +167,15 @@ def default_public_ip_association
         !!config[:subnet_id]
       end
 
+      def default_aws_session_token
+        if config[:aws_secret_access_key] == iam_creds[:aws_secret_access_key] \
+          && config[:aws_access_key_id] == iam_creds[:aws_access_key_id]
+          iam_creds[:aws_session_token]
+        else
+          ENV['AWS_SESSION_TOKEN'] || ENV['AWS_TOKEN']
+        end
+      end
+
       private
 
       def connection

spec/create_spec.rb

@@ -128,6 +128,50 @@
 
   end
 
+  context 'When autodetecting an iam role' do
+    let(:iam_creds) do
+      {
+        aws_access_key_id: 'secret',
+        aws_secret_access_key: 'moarsecret',
+        aws_session_token: 'randomsecret'
+      }
+    end
+
+    context 'when :aws_secret_key_id is not set via iam_creds' do
+      it 'does not set config[:aws_session_token] based on iam_creds' do
+        config[:aws_secret_access_key] = 'adifferentsecret'
+
+        allow(driver)
+          .to receive(:iam_creds).and_return(iam_creds)
+
+        expect(driver.send(:config)[:aws_session_token]).to be_nil
+      end
+    end
+
+    context 'when :aws_access_key_id is not set via iam_creds' do
+     it 'does not set config[:aws_session_token] based on iam_creds' do
+        config[:aws_access_key_id] = 'adifferentsecret'
+
+        allow(driver)
+          .to receive(:iam_creds).and_return(iam_creds)
+
+        expect(driver.send(:config)[:aws_session_token]).to be_nil
+      end
+    end
+
+    context 'when :aws_secret_key_id and :aws_access_key_id are set via iam_creds' do
+      it 'uses :aws_session_token from iam_creds' do
+        allow(driver)
+          .to receive(:iam_creds).and_return(iam_creds)
+
+        expect(driver)
+          .to receive(:iam_creds)
+
+        expect(driver.send(:config)[:aws_session_token]).to eq(iam_creds[:aws_session_token])
+      end
+    end
+  end
+
   describe '#block_device_mappings' do
     let(:connection) { double(Fog::Compute) }
     let(:image) { double('Image', :root_device_name => 'name') }