Rearrange security_token sources as AWS_SECURITY_TOKEN is deprecated (breaking change) #221
Conversation
| - name: AWS_SECURITY_TOKEN | ||
| - name: AWS_SESSION_TOKEN |
There was a problem hiding this comment.
Add a note in the description that this value is deprecated.
ansibullbot
added
bug
|
@tremble Agree the change looks sensible. We don't have unit test coverage for Thanks for this patch @nillovna! |
|
@jillr We might not have unit tests but we do have an integration test which tests the combination of get_aws_connection_info and connect_to_aws : https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/module_utils_ec2/roles/connect_to_aws/tasks/credentials.yml what we don't test right now is the relative priority of EC2_SESSION_TOKEN and EC2_SECURITY_TOKEN |
|
@nillovna Do you think you could tweak https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/module_utils_ec2/roles/connect_to_aws/tasks/credentials.yml to add a test that AWS_SESSION_TOKEN takes priority over AWS_SECURITY_TOKEN ? |
tremble
changed the title
|
Digging into this a little further: It looks like our current behaviour mimics the botocore behaviour (wrt ordering) |
ansibullbot
added
integration
|
The next collection release of amazon.aws will be 2.0 (late May ETA), which can contain breaking changes. Comments and test failures will need to be addressed for this to be able to merge. |
|
@jillr Should we put this in the Jira backlog? |
|
@jillr, I'm inclined to close this PR. While the change would make a deprecated env var lower priority, this would go against the order botocore evaluates, and I think we're better sticking to boto3's priorities. |
|
@tremble I'm ok with that. It doesn't appear to be causing any notable problems for users and avoiding breaking changes is usually desirable. It was good to have folks that a look at this and now we know about the deprecation, thanks for raising awareness about this @nillovna! If boto3 changes the processing order and we need to revisit this we can revive the PR. |
…ollections#237) Files transferred to instances via the SSM connection plugin should use folders within the bucket that are namespaced per-host, to prevent collisions. Files should also be deleted from buckets when they are no longer required. Fixes: ansible-collections#221 Fixes: ansible-collections#222 Based on work by abeluck changelog
SUMMARY
Rearranges security_token sources as AWS_SECURITY_TOKEN is deprecated.
As mentioned in boto documentation (and a bunch of other SDKs)
AWS_SECURITY_TOKENenvironment variable can be considered deprecated, it is only supported for backward-compatibility purposes. OnlyAWS_SESSION_TOKENis mentioned as a session token environment variable in AWS documentation.So it is more logical to check
AWS_SESSION_TOKENbeforeAWS_SECURITY_TOKEN. EmptyAWS_SECURITY_TOKENcould cause errors even ifAWS_SESSION_TOKENis defined.Some tools already removed
AWS_SECURITY_TOKENsupport. For example, there is an issue with saml2aws.ISSUE TYPE
COMPONENT NAME
plugins.module_utils.ec2
ADDITIONAL INFORMATION
The problem is fully described in Versent/saml2aws#586. The issue is caused by an empty
AWS_SECURITY_TOKEN. DespiteAWS_SESSION_TOKENis defined, ansible uses deprecatedAWS_SECURITY_TOKENin the first place.