test: Check AWS SDK credential provider work with MMDS

Add a test that ensures AWS SDK for Python (boto3) work with MMDS out of
the box.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

resources/chroot.sh

@@ -11,7 +11,7 @@ PS4='+\t '
 
 cp -ruv $rootfs/* /
 
-packages="udev systemd-sysv openssh-server iproute2 curl socat python3-minimal iperf3 iputils-ping fio kmod tmux hwloc-nox vim-tiny trace-cmd linuxptp strace"
+packages="udev systemd-sysv openssh-server iproute2 curl socat python3-minimal iperf3 iputils-ping fio kmod tmux hwloc-nox vim-tiny trace-cmd linuxptp strace python3-boto3"
 
 # msr-tools is only supported on x86-64.
 arch=$(uname -m)

resources/rebuild.sh

@@ -65,6 +65,12 @@ for d in $dirs; do tar c "/$d" | tar x -C $rootfs; done
 mkdir -pv $rootfs/{dev,proc,sys,run,tmp,var/lib/systemd}
 # So apt works
 mkdir -pv $rootfs/var/lib/dpkg/
+
+# Install AWS CLI v2
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+./aws/install --install-dir $rootfs/usr/local/aws-cli --bin-dir $rootfs/usr/local/bin
+rm -rf awscliv2.zip aws
 EOF
 
     # TBD what abt /etc/hosts?

tests/integration_tests/functional/test_mmds.py

@@ -3,9 +3,11 @@
 """Tests that verify MMDS related functionality."""
 
 # pylint: disable=too-many-lines
+import json
 import random
 import string
 import time
+from datetime import datetime, timedelta, timezone
 
 import pytest
 
@@ -748,3 +750,53 @@ def test_deprecated_mmds_config(uvm_plain):
         )
         == 2
     )
+
+
+def test_aws_credential_provider(uvm_plain):
+    """
+    Test AWS CLI credential provider
+    """
+    test_microvm = uvm_plain
+    test_microvm.spawn()
+    test_microvm.basic_config()
+    test_microvm.add_net_iface()
+    # V2 requires session tokens for GET requests
+    configure_mmds(test_microvm, iface_ids=["eth0"], version="V2")
+    now = datetime.now(timezone.utc)
+    credentials = {
+        "Code": "Success",
+        "LastUpdated": now.strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "Type": "AWS-HMAC",
+        "AccessKeyId": "AAA",
+        "SecretAccessKey": "BBB",
+        "Token": "CCC",
+        "Expiration": (now + timedelta(seconds=60)).strftime("%Y-%m-%dT%H:%M:%SZ"),
+    }
+    data_store = {
+        "latest": {
+            "meta-data": {
+                "iam": {
+                    "security-credentials": {"role": json.dumps(credentials, indent=2)}
+                },
+                "placement": {"availability-zone": "us-east-1a"},
+            }
+        }
+    }
+    populate_data_store(test_microvm, data_store)
+    test_microvm.start()
+
+    ssh_connection = test_microvm.ssh
+
+    run_guest_cmd(ssh_connection, f"ip route add {DEFAULT_IPV4} dev eth0", "")
+
+    cmd = r"""python3 - <<EOF
+from botocore.session import get_session
+
+sess = get_session()
+cred = sess.get_credentials()
+
+print(f"{cred.access_key},{cred.secret_key},{cred.token}")
+EOF
+"""
+    _, stdout, stderr = ssh_connection.check_output(cmd)
+    assert stdout == "AAA,BBB,CCC\n", stderr

tools/setup-ci-artifacts.sh

@@ -39,7 +39,7 @@ for SQUASHFS in *.squashfs; do
     # Create rw ext4 image from ro squashfs
     [ -f $EXT4 ] && continue
     say "Converting $SQUASHFS to $EXT4"
-    truncate -s 400M $EXT4
+    truncate -s 500M $EXT4
     mkfs.ext4 -F $EXT4 -d squashfs-root
     rm -rf squashfs-root
 done