diff --git a/minio/credentials/providers.py b/minio/credentials/providers.py index 718d245a..9576ec01 100644 --- a/minio/credentials/providers.py +++ b/minio/credentials/providers.py @@ -31,7 +31,7 @@ from datetime import timedelta from pathlib import Path from typing import Callable, cast -from urllib.parse import urlencode, urlsplit, urlunsplit +from urllib.parse import urlencode, urlsplit, urljoin from xml.etree import ElementTree as ET import certifi @@ -44,7 +44,7 @@ from urllib3.util import Retry, parse_url -from minio.helpers import sha256_hash, url_replace +from minio.helpers import sha256_hash from minio.signer import sign_v4_sts from minio.time import from_iso8601utc, to_amz_date, utcnow from minio.xml import find, findtext @@ -503,23 +503,25 @@ def retrieve(self) -> Credentials: ) token = res.data.decode("utf-8") headers = {"X-aws-ec2-metadata-token": token} if token else None - + iam_security_creds_url = urlsplit(url)._replace( + path="/latest/meta-data/iam/security-credentials/" + ) # Get role name res = _urlopen( self._http_client, "GET", - urlunsplit( - url_replace( - urlsplit(url), - path="/latest/meta-data/iam/security-credentials/", - ), - ), + iam_security_creds_url.geturl(), headers=headers, ) role_names = res.data.decode("utf-8").split("\n") if not role_names: raise ValueError(f"no IAM roles attached to EC2 service {url}") - url += "/" + role_names[0].strip("\r") + url = iam_security_creds_url._replace( + path=urljoin( + iam_security_creds_url.path, + role_names[0].strip("\r"), + ) + ).geturl() if not url: raise ValueError("url is empty; this should not happen") self._credentials = self.fetch(url, headers=headers)