15599: Warn if multiple roles are assigned.

This is currently impossible on AWS. If it becomes possible in the
future, this may help with troubleshooting.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>

diff --git a/services/keepstore/s3_volume.go b/services/keepstore/s3_volume.go
index 20bd99255a33659f8ee6f774bea5be73e140732b..65950606f3f75b8aae5fc62ca673b8a07f83c0d8 100644 (file)
--- a/services/keepstore/s3_volume.go
+++ b/services/keepstore/s3_volume.go
@@ -5,6 +5,7 @@
 package main
 
 import (
+       "bufio"
        "bytes"
        "context"
        "crypto/sha256"
@@ -235,11 +236,15 @@ func (v *S3Volume) updateIAMCredentials() (time.Duration, error) {
                if resp.StatusCode != http.StatusOK {
                        return 0, fmt.Errorf("error getting %s: HTTP status %s", url, resp.Status)
                }
+               body := bufio.NewReader(resp.Body)
                var role string
-               _, err = fmt.Fscanf(resp.Body, "%s\n", &role)
+               _, err = fmt.Fscanf(body, "%s\n", &role)
                if err != nil {
                        return 0, fmt.Errorf("error reading response from %s: %s", url, err)
                }
+               if n, _ := body.Read(make([]byte, 64)); n > 0 {
+                       v.logger.Warnf("ignoring additional data returned by metadata endpoint %s after the single role name that we expected", url)
+               }
                v.logger.WithField("Role", role).Debug("looked up IAM role name")
                url = url + role
        }