test: Check AWS SDK credential provider work with MMDS

Add an integration test that checks AWS SDK for Python (boto3) is able
to get credentials via MMDS without modification.

CI artifacts (guest rootfs) update was needed to install AWS SDK for
Python.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

resources/chroot.sh

@@ -11,7 +11,7 @@ PS4='+\t '
 
 cp -ruv $rootfs/* /
 
-packages="udev systemd-sysv openssh-server iproute2 curl socat python3-minimal iperf3 iputils-ping fio kmod tmux hwloc-nox vim-tiny trace-cmd linuxptp strace"
+packages="udev systemd-sysv openssh-server iproute2 curl socat python3-minimal iperf3 iputils-ping fio kmod tmux hwloc-nox vim-tiny trace-cmd linuxptp strace python3-boto3"
 
 # msr-tools is only supported on x86-64.
 arch=$(uname -m)

resources/rebuild.sh

@@ -65,6 +65,12 @@ for d in $dirs; do tar c "/$d" | tar x -C $rootfs; done
 mkdir -pv $rootfs/{dev,proc,sys,run,tmp,var/lib/systemd}
 # So apt works
 mkdir -pv $rootfs/var/lib/dpkg/
+
+# Install AWS CLI v2
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+./aws/install --install-dir $rootfs/usr/local/aws-cli --bin-dir $rootfs/usr/local/bin
+rm -rf awscliv2.zip aws
 EOF
 
     # TBD what abt /etc/hosts?

tests/integration_tests/functional/test_mmds.py

@@ -3,9 +3,11 @@
 """Tests that verify MMDS related functionality."""
 
 # pylint: disable=too-many-lines
+import json
 import random
 import string
 import time
+from datetime import datetime, timedelta, timezone
 
 import pytest
 
@@ -776,3 +778,54 @@ def test_deprecated_mmds_config(uvm_plain):
         )
         == 2
     )
+
+
+@pytest.mark.parametrize("version", MMDS_VERSIONS)
+def test_aws_credential_provider(uvm_plain, version):
+    """
+    Test AWS CLI credential provider
+    """
+    test_microvm = uvm_plain
+    test_microvm.spawn()
+    test_microvm.basic_config()
+    test_microvm.add_net_iface()
+    # V2 requires session tokens for GET requests
+    configure_mmds(test_microvm, iface_ids=["eth0"], version=version)
+    now = datetime.now(timezone.utc)
+    credentials = {
+        "Code": "Success",
+        "LastUpdated": now.strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "Type": "AWS-HMAC",
+        "AccessKeyId": "AAA",
+        "SecretAccessKey": "BBB",
+        "Token": "CCC",
+        "Expiration": (now + timedelta(seconds=60)).strftime("%Y-%m-%dT%H:%M:%SZ"),
+    }
+    data_store = {
+        "latest": {
+            "meta-data": {
+                "iam": {
+                    "security-credentials": {"role": json.dumps(credentials, indent=2)}
+                },
+                "placement": {"availability-zone": "us-east-1a"},
+            }
+        }
+    }
+    populate_data_store(test_microvm, data_store)
+    test_microvm.start()
+
+    ssh_connection = test_microvm.ssh
+
+    run_guest_cmd(ssh_connection, f"ip route add {DEFAULT_IPV4} dev eth0", "")
+
+    cmd = r"""python3 - <<EOF
+from botocore.session import get_session
+
+sess = get_session()
+cred = sess.get_credentials()
+
+print(f"{cred.access_key},{cred.secret_key},{cred.token}")
+EOF
+"""
+    _, stdout, stderr = ssh_connection.check_output(cmd)
+    assert stdout == "AAA,BBB,CCC\n", stderr

tools/setup-ci-artifacts.sh

@@ -39,7 +39,7 @@ for SQUASHFS in *.squashfs; do
     # Create rw ext4 image from ro squashfs
     [ -f $EXT4 ] && continue
     say "Converting $SQUASHFS to $EXT4"
-    truncate -s 400M $EXT4
+    truncate -s 500M $EXT4
     mkfs.ext4 -F $EXT4 -d squashfs-root
     rm -rf squashfs-root
 done