test: Check AWS CLI's credential provider work with MMDS

The test ensures workloads that work with EC2 IMDS also work with
Firecracker MMDS out of the box.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

resources/chroot.sh

@@ -11,7 +11,7 @@ PS4='+\t '
 
 cp -ruv $rootfs/* /
 
-packages="udev systemd-sysv openssh-server iproute2 curl socat python3-minimal iperf3 iputils-ping fio kmod tmux hwloc-nox vim-tiny trace-cmd linuxptp strace"
+packages="udev systemd-sysv openssh-server iproute2 curl socat python3-minimal iperf3 iputils-ping fio kmod tmux hwloc-nox vim-tiny trace-cmd linuxptp strace unzip"
 
 # msr-tools is only supported on x86-64.
 arch=$(uname -m)

resources/rebuild.sh

@@ -54,6 +54,7 @@ function build_rootfs {
     #   sudo tar xaf ubuntu-22.04-minimal-cloudimg-amd64-root.tar.xz -C $rootfs
     #   sudo systemd-nspawn --resolv-conf=bind-uplink -D $rootfs
     docker run --env rootfs=$rootfs --privileged --rm -i -v "$PWD:/work" -w /work "$FROM_CTR" bash -s <<'EOF'
+set -x
 
 ./chroot.sh
 
@@ -65,6 +66,12 @@ for d in $dirs; do tar c "/$d" | tar x -C $rootfs; done
 mkdir -pv $rootfs/{dev,proc,sys,run,tmp,var/lib/systemd}
 # So apt works
 mkdir -pv $rootfs/var/lib/dpkg/
+
+# Install AWS CLI v2
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+./aws/install
+rm -rf awscliv2.zip aws
 EOF
 
     # TBD what abt /etc/hosts?

tests/integration_tests/functional/test_mmds.py

@@ -6,6 +6,8 @@
 import random
 import string
 import time
+import json
+from datetime import datetime, timedelta, timezone
 
 import pytest
 
@@ -748,3 +750,53 @@ def test_deprecated_mmds_config(uvm_plain):
         )
         == 2
     )
+
+
+def test_aws_credential_provider(uvm_plain):
+    """
+    Test AWS CLI credential provider
+    """
+    test_microvm = uvm_plain
+    test_microvm.spawn()
+    test_microvm.basic_config()
+    test_microvm.add_net_iface()
+    # V2 requires session tokens for GET requests
+    configure_mmds(test_microvm, iface_ids=["eth0"], version="V2")
+    now = datetime.now(timezone.utc)
+    credentials = {
+        "Code": "Success",
+        "LastUpdated": now.strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "Type": "AWS-HMAC",
+        "AccessKeyId": "ACCESS_KEY_ID",
+        "SecretAccessKey": "SECRET_ACCESS_KEY",
+        "Token": "TOKEN",
+        "Expiration": (now + timedelta(seconds=60)).strftime("%Y-%m-%dT%H:%M:%SZ")
+    }
+    data_store = {
+        "latest": {
+            "meta-data": {
+                "iam": {
+                    "security-credentials": {
+                        "role": json.dumps(credentials, indent=2)
+                    }
+                },
+                "placement": {
+                    "availability-zone": "us-east-1a"
+                }
+            }
+        }
+    }
+    populate_data_store(test_microvm, data_store)
+    test_microvm.start()
+
+    _, stdout, stderr = test_microvm.ssh.check_output("aws configure list --debug")
+    assert stdout == (
+"""
+      Name                    Value             Type    Location
+      ----                    -----             ----    --------
+   profile                <not set>             None    None
+access_key     ****************Y_ID         iam-role
+secret_key     ****************_KEY         iam-role
+    region                us-east-1             imds
+""".strip()
+    ), stderr