Only use 2 metadata service calls to get credentials

Because of the lazy loading dict returned when retrieving IAM role credentials, we were making twice as many calls: * .../meta-data/ * .../meta-data/iam/ * .../meta-data/iam/security-credentials/ * .../meta-data/iam/security-credentials/role-name Instead the ``data`` arg is used so that we can make only two calls, one to retrieve the role name, and one to retrieve the actual credentials: * .../meta-data/iam/security-credentials/ * .../meta-data/iam/security-credentials/role-name
aquam8 · Apr 12, 2013 · d84606e · d84606e
1 parent 1d9d293
commit d84606e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 37 deletions.
diff --git a/boto/provider.py b/boto/provider.py
@@ -279,10 +279,12 @@ def _populate_keys_from_metadata_server(self):
         # The num_retries arg is actually the total number of attempts made,
         # so the config options is named *_num_attempts to make this more
         # clear to users.
-        metadata = get_instance_metadata(timeout=timeout, num_retries=attempts)
-        # I'm assuming there's only one role on the instance profile.
-        if metadata and 'iam' in metadata:
-            security = metadata['iam']['security-credentials'].values()[0]
+        metadata = get_instance_metadata(
+            timeout=timeout, num_retries=attempts,
+            data='meta-data/iam/security-credentials')
+        if metadata:
+            # I'm assuming there's only one role on the instance profile.
+            security = metadata.values()[0]
             self._access_key = security['AccessKeyId']
             self._secret_key = self._convert_key_to_str(security['SecretAccessKey'])
             self._security_token = security['Token']

diff --git a/tests/unit/provider/test_provider.py b/tests/unit/provider/test_provider.py
@@ -8,16 +8,14 @@
 
 
 INSTANCE_CONFIG = {
-    'iam': {
-        'security-credentials': {
-            'allowall': {u'AccessKeyId': u'iam_access_key',
-                            u'Code': u'Success',
-                            u'Expiration': u'2012-09-01T03:57:34Z',
-                            u'LastUpdated': u'2012-08-31T21:43:40Z',
-                            u'SecretAccessKey': u'iam_secret_key',
-                            u'Token': u'iam_token',
-                            u'Type': u'AWS-HMAC'}
-        }
+    'allowall': {
+        u'AccessKeyId': u'iam_access_key',
+        u'Code': u'Success',
+        u'Expiration': u'2012-09-01T03:57:34Z',
+        u'LastUpdated': u'2012-08-31T21:43:40Z',
+        u'SecretAccessKey': u'iam_secret_key',
+        u'Token': u'iam_token',
+        u'Type': u'AWS-HMAC'
     }
 }
 
@@ -127,24 +125,14 @@ def test_env_vars_beat_config_values(self):
         self.assertIsNone(p.security_token)
 
     def test_metadata_server_credentials(self):
-        instance_config = {
-            'iam': {
-                'security-credentials': {
-                    'allowall': {u'AccessKeyId': u'iam_access_key',
-                                 u'Code': u'Success',
-                                 u'Expiration': u'2012-09-01T03:57:34Z',
-                                 u'LastUpdated': u'2012-08-31T21:43:40Z',
-                                 u'SecretAccessKey': u'iam_secret_key',
-                                 u'Token': u'iam_token',
-                                 u'Type': u'AWS-HMAC'}
-                }
-            }
-        }
-        self.get_instance_metadata.return_value = instance_config
+        self.get_instance_metadata.return_value = INSTANCE_CONFIG
         p = provider.Provider('aws')
         self.assertEqual(p.access_key, 'iam_access_key')
         self.assertEqual(p.secret_key, 'iam_secret_key')
         self.assertEqual(p.security_token, 'iam_token')
+        self.assertEqual(
+            self.get_instance_metadata.call_args[1]['data'],
+            'meta-data/iam/security-credentials')
 
     def test_refresh_credentials(self):
         now = datetime.now()
@@ -159,13 +147,7 @@ def test_refresh_credentials(self):
             u'Token': u'first_token',
             u'Type': u'AWS-HMAC'
         }
-        instance_config = {
-            'iam': {
-                'security-credentials': {
-                    'allowall': credentials
-                }
-            }
-        }
+        instance_config = {'allowall': credentials}
         self.get_instance_metadata.return_value = instance_config
         p = provider.Provider('aws')
         self.assertEqual(p.access_key, 'first_access_key')
@@ -196,8 +178,9 @@ def test_metadata_config_params(self, config_float, config_int):
         self.assertEqual(p.access_key, 'iam_access_key')
         self.assertEqual(p.secret_key, 'iam_secret_key')
         self.assertEqual(p.security_token, 'iam_token')
-        self.get_instance_metadata.assert_called_with(timeout=4.0,
-                                                      num_retries=10)
+        self.get_instance_metadata.assert_called_with(
+            timeout=4.0, num_retries=10,
+            data='meta-data/iam/security-credentials')
 
 
 if __name__ == '__main__':