chore(backport release-0.8): refactor(controller): minor cleanup of a…

…ws managed identity credential helper (#2319) Co-authored-by: Kent Rancourt <[email protected]>
akuity · Jul 19, 2024 · 63933a1 · 63933a1
1 parent ab2374a
commit 63933a1
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/...rnetes/ecr/managed_identity_credential.go → ...ntials/kubernetes/ecr/managed_identity.go b/...rnetes/ecr/managed_identity_credential.go → ...ntials/kubernetes/ecr/managed_identity.go
@@ -175,13 +175,21 @@ func (p *managedIdentityCredentialHelper) getAuthToken(
 			return "", err
 		}
 		logger.Debug(
-			"controller IAM role is not authorized to assume project-specific role. falling back to default config",
+			"Controller IAM role is not authorized to assume project-specific role " +
+				"or project-specific role is not authorized to obtain an ECR auth token. " +
+				"Falling back to using controller's IAM role directly.",
 		)
 		ecrSvc = ecr.NewFromConfig(cfg)
 		output, err = ecrSvc.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
 		if err != nil {
-			logger.Error(err, "error getting ECR authorization token")
-			return "", err
+			if !errors.As(err, &re) || re.HTTPStatusCode() != http.StatusForbidden {
+				return "", err
+			}
+			logger.Debug(
+				"Controller's IAM role is not authorized to obtain an ECR auth token. " +
+					"Treating this as no credentials found.",
+			)
+			return "", nil
 		}
 	}
 	logger.Debug("got ECR authorization token")

diff --git a/...s/ecr/managed_identity_credential_test.go → ...s/kubernetes/ecr/managed_identity_test.go b/...s/ecr/managed_identity_credential_test.go → ...s/kubernetes/ecr/managed_identity_test.go