Skip to content

Commit 35ccc46

Browse files
stanhustanhu
committed
Merge branch 'sh-aws-assume-role' into 'main'
Add diagnostics logging for S3 cache AssumeRole operations See merge request https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/6345 Merged-by: Stan Hu <stanhu@gmail.com> Approved-by: Zoe Braddock <zbraddock@gitlab.com> Approved-by: Axel von Bertoldi <avonbertoldi@gitlab.com>
2 parents 8302f4e + 3a2a328 commit 35ccc46

1 file changed

Lines changed: 18 additions & 2 deletions

File tree

cache/s3v2/s3.go

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -174,21 +174,37 @@ func (c *s3Client) FetchCredentialsForRole(ctx context.Context, roleARN, bucketN
174174
duration = timeout
175175
}
176176

177+
startTime := time.Now()
177178
roleCredentials, err := stsClient.AssumeRole(ctx, &sts.AssumeRoleInput{
178179
RoleArn: aws.String(roleARN),
179180
RoleSessionName: aws.String(sessionName),
180181
Policy: aws.String(sessionPolicy), // Limit the role's access
181182
DurationSeconds: aws.Int32(int32(duration.Seconds())),
182183
})
184+
elapsed := time.Since(startTime).Seconds()
185+
183186
if err != nil {
184-
return nil, fmt.Errorf("failed to assume role: %w", err)
187+
logrus.WithError(err).WithFields(logrus.Fields{
188+
"role_arn": roleARN,
189+
"duration_s": elapsed,
190+
}).Error("Failed to assume role for cache credentials")
191+
return nil, fmt.Errorf("failed to assume role (took %.2fs): %w", elapsed, err)
185192
}
186193
// AssumeRole should always return credentials if successful, but
187194
// just in case it doesn't let's check this.
188195
if roleCredentials.Credentials == nil {
189-
return nil, fmt.Errorf("failed to retrieve credentials: %w", err)
196+
logrus.WithFields(logrus.Fields{
197+
"role_arn": roleARN,
198+
"duration_s": elapsed,
199+
}).Error("AssumeRole succeeded but returned no credentials")
200+
return nil, fmt.Errorf("failed to retrieve credentials (took %.2fs): %w", elapsed, err)
190201
}
191202

203+
logrus.WithFields(logrus.Fields{
204+
"role_arn": roleARN,
205+
"duration_s": elapsed,
206+
}).Debug("Successfully assumed role for cache credentials")
207+
192208
return map[string]string{
193209
"AWS_ACCESS_KEY_ID": *roleCredentials.Credentials.AccessKeyId,
194210
"AWS_SECRET_ACCESS_KEY": *roleCredentials.Credentials.SecretAccessKey,

0 commit comments

Comments
 (0)