From 63933a128f5c002d01f15f8fe5e5130e4a5208ea Mon Sep 17 00:00:00 2001
From: akuitybot <105087302+akuitybot@users.noreply.github.com>
Date: Fri, 19 Jul 2024 12:53:01 -0700
Subject: [PATCH] chore(backport release-0.8): refactor(controller): minor
 cleanup of aws managed identity credential helper (#2319)

Co-authored-by: Kent Rancourt <kent.rancourt@gmail.com>
---
 ..._identity_credential.go => managed_identity.go} | 14 +++++++++++---
 ...credential_test.go => managed_identity_test.go} |  0
 2 files changed, 11 insertions(+), 3 deletions(-)
 rename internal/credentials/kubernetes/ecr/{managed_identity_credential.go => managed_identity.go} (91%)
 rename internal/credentials/kubernetes/ecr/{managed_identity_credential_test.go => managed_identity_test.go} (100%)

diff --git a/internal/credentials/kubernetes/ecr/managed_identity_credential.go b/internal/credentials/kubernetes/ecr/managed_identity.go
similarity index 91%
rename from internal/credentials/kubernetes/ecr/managed_identity_credential.go
rename to internal/credentials/kubernetes/ecr/managed_identity.go
index c5cda314c..3a5608c52 100644
--- a/internal/credentials/kubernetes/ecr/managed_identity_credential.go
+++ b/internal/credentials/kubernetes/ecr/managed_identity.go
@@ -175,13 +175,21 @@ func (p *managedIdentityCredentialHelper) getAuthToken(
 			return "", err
 		}
 		logger.Debug(
-			"controller IAM role is not authorized to assume project-specific role. falling back to default config",
+			"Controller IAM role is not authorized to assume project-specific role " +
+				"or project-specific role is not authorized to obtain an ECR auth token. " +
+				"Falling back to using controller's IAM role directly.",
 		)
 		ecrSvc = ecr.NewFromConfig(cfg)
 		output, err = ecrSvc.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
 		if err != nil {
-			logger.Error(err, "error getting ECR authorization token")
-			return "", err
+			if !errors.As(err, &re) || re.HTTPStatusCode() != http.StatusForbidden {
+				return "", err
+			}
+			logger.Debug(
+				"Controller's IAM role is not authorized to obtain an ECR auth token. " +
+					"Treating this as no credentials found.",
+			)
+			return "", nil
 		}
 	}
 	logger.Debug("got ECR authorization token")
diff --git a/internal/credentials/kubernetes/ecr/managed_identity_credential_test.go b/internal/credentials/kubernetes/ecr/managed_identity_test.go
similarity index 100%
rename from internal/credentials/kubernetes/ecr/managed_identity_credential_test.go
rename to internal/credentials/kubernetes/ecr/managed_identity_test.go