Minor fixes for assume_role (#643)

* Increase duration testset drift to 5 seconds

* More reliable way of determining current user

* Enable MinIO tests only when supported

* Set project version to 1.89.1

Author: omus

Diff for: .github/workflows/CI.yml

@@ -33,10 +33,6 @@ jobs:
           - os: ubuntu-latest
             version: "1.6"
             arch: x64
-    env:
-      MINIO_ACCESS_KEY: minio
-      MINIO_SECRET_KEY: minio123
-      MINIO_REGION_NAME: aregion
     steps:
       - uses: actions/checkout@v2
       - name: Assume AWS role
@@ -45,6 +41,12 @@ jobs:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/AWS.jl
           aws-region: us-east-1
       - name: MinIO server setup
+        if: runner.os != 'Windows'
+        env:
+          MINIO_ACCESS_KEY: minio
+          MINIO_SECRET_KEY: minio123
+          MINIO_REGION_NAME: aregion
+        shell: bash
         run: |
           case "$RUNNER_OS" in
             Linux)
@@ -58,10 +60,11 @@ jobs:
               exit 1
               ;;
           esac
-          curl -LO "https://dl.minio.io/server/minio/release/${host_os}/minio"
+          curl -sSLO "https://dl.minio.io/server/minio/release/${host_os}/minio"
           mkdir data
           chmod +x ./minio
           ./minio server --compat --quiet data 2>&1 > minio.log &
+          env | grep ^MINIO_ | tee -a "$GITHUB_ENV"
       - uses: julia-actions/setup-julia@v1
         with:
           version: ${{ matrix.version }}

Diff for: Project.toml

@@ -1,7 +1,7 @@
 name = "AWS"
 uuid = "fbe9abb3-538b-5e4e-ba9e-bc94f4f92ebc"
 license = "MIT"
-version = "1.89.0"
+version = "1.89.1"
 
 [deps]
 Base64 = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f"

Diff for: src/utilities/role.jl

@@ -81,7 +81,7 @@ function assume_role_creds(
     else
         params["RoleSessionName"] = _role_session_name(
             "AWS.jl-",
-            ENV["USER"],
+            _whoami(),
             "-" * Dates.format(now(UTC), dateformat"yyyymmdd\THHMMSS\Z"),
         )
     end
@@ -128,3 +128,15 @@ function assume_role_creds(
         renew,
     )
 end
+
+"""
+    _whoami() -> AbstractString
+
+The identity of the current user (i.e. effective user name). May differ from the
+logged in user if the current user has been assumed, perhaps by means of `su`.
+
+Note that the environmental variables `USER` or `USERNAME` are
+[not Bash built-in variables](https://tldp.org/LDP/abs/html/internalvariables.html#AMIROOT)
+and by default are not present in containers.
+"""
+_whoami() = readchomp(`id -un`)  # The `whoami` utility is marked as obsolete

Diff for: test/role.jl

@@ -16,6 +16,12 @@ end
 
 get_assumed_role(creds::AWSCredentials) = get_assumed_role(AWSConfig(; creds))
 
+@testset "_whoami" begin
+    user = AWS._whoami()
+    @test user isa AbstractString
+    @test !isempty(user)
+end
+
 @testset "assume_role / assume_role_creds" begin
     # In order to mitigate the effects of using `assume_role` in order to test itself we'll
     # use the lowest-level call with as many defaults as possible.
@@ -54,21 +60,23 @@ get_assumed_role(creds::AWSCredentials) = get_assumed_role(AWSConfig(; creds))
     end
 
     @testset "duration" begin
-        drift = Second(1)
+        # Have seen up to 3 seconds of drift on CI jobs
+        drift = Second(5)
 
         creds = assume_role_creds(config, role_a; duration=nothing)
         t = floor(now(UTC), Second)
         @test t <= creds.expiry <= t + Second(3600) + drift
 
-        creds = assume_role_creds(config, role_a; duration=900)
+        duration = 900  # Minimum allowed duration
+        creds = assume_role_creds(config, role_a; duration)
         t = floor(now(UTC), Second)
-        @test t <= creds.expiry <= t + Second(900) + drift
+        @test t <= creds.expiry <= t + Second(duration) + drift
     end
 
     @testset "session_name" begin
-        session_prefix = "AWS.jl-" * ENV["USER"]
+        session_prefix = "AWS.jl-"
         creds = assume_role_creds(config, role_a; session_name=nothing)
-        regex = r":assumed-role/" * (role_a * '/' * session_prefix) * r"-\d{8}T\d{6}Z$"
+        regex = r":assumed-role/" * (role_a * '/' * session_prefix) * r".*-\d{8}T\d{6}Z$"
         @test contains(creds.user_arn, regex)
         @test get_assumed_role(creds) == role_a