From fdd56a5f193c4d8c561059c74d3aa4e850a483d1 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Mon, 30 Sep 2019 19:22:25 -0400
Subject: [PATCH] 15599: Warn if multiple roles are assigned.

This is currently impossible on AWS. If it becomes possible in the
future, this may help with troubleshooting.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---
 services/keepstore/s3_volume.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/services/keepstore/s3_volume.go b/services/keepstore/s3_volume.go
index 20bd99255a..65950606f3 100644
--- a/services/keepstore/s3_volume.go
+++ b/services/keepstore/s3_volume.go
@@ -5,6 +5,7 @@
 package main
 
 import (
+	"bufio"
 	"bytes"
 	"context"
 	"crypto/sha256"
@@ -235,11 +236,15 @@ func (v *S3Volume) updateIAMCredentials() (time.Duration, error) {
 		if resp.StatusCode != http.StatusOK {
 			return 0, fmt.Errorf("error getting %s: HTTP status %s", url, resp.Status)
 		}
+		body := bufio.NewReader(resp.Body)
 		var role string
-		_, err = fmt.Fscanf(resp.Body, "%s\n", &role)
+		_, err = fmt.Fscanf(body, "%s\n", &role)
 		if err != nil {
 			return 0, fmt.Errorf("error reading response from %s: %s", url, err)
 		}
+		if n, _ := body.Read(make([]byte, 64)); n > 0 {
+			v.logger.Warnf("ignoring additional data returned by metadata endpoint %s after the single role name that we expected", url)
+		}
 		v.logger.WithField("Role", role).Debug("looked up IAM role name")
 		url = url + role
 	}
-- 
2.30.2