From af89310e50076f2d50b287ab271713f3967e8bb1 Mon Sep 17 00:00:00 2001 From: menuetb Date: Thu, 27 Apr 2023 10:52:31 +0200 Subject: [PATCH 1/5] Add support for STS Regional Endpoint (#118) --- .../iam/internals/MSKCredentialProvider.java | 28 +++++++++++++++++-- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java index 87fad13..5133314 100644 --- a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java +++ b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java @@ -28,6 +28,8 @@ import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider; import com.amazonaws.auth.SystemPropertiesCredentialsProvider; import com.amazonaws.auth.WebIdentityTokenCredentialsProvider; +import com.amazonaws.client.builder.AwsClientBuilder; +import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.retry.PredefinedBackoffStrategies; import com.amazonaws.retry.v2.AndRetryCondition; import com.amazonaws.retry.v2.MaxNumberOfRetriesCondition; @@ -267,6 +269,22 @@ public int getMaxBackOffTimeMs() { .orElse(DEFAULT_MAX_BACK_OFF_TIME_MS); } + public EndpointConfiguration buildEndpointConfiguration(String stsRegion){ + //An AWSSecurityTokenService with a regional endpoint configuration + EndpointConfiguration endpointConfiguration = + new AwsClientBuilder.EndpointConfiguration( + String.format("sts.%s.amazonaws.com", stsRegion), + stsRegion); + //An AWSSecurityTokenService with a global endpoint configuration + if (stsRegion.equals("aws-global")) { + endpointConfiguration = + new EndpointConfiguration( + "sts.amazonaws.com", + stsRegion); + } + return endpointConfiguration; + } + private Optional getProfileProvider() { return Optional.ofNullable(optionsMap.get(AWS_PROFILE_NAME_KEY)).map(p -> { if (log.isDebugEnabled()) { @@ -311,8 +329,9 @@ else if (externalId != null) { STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String roleArn, String sessionName, String stsRegion) { + EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard() - .withRegion(stsRegion) + .withEndpointConfiguration(endpointConfiguration) .build(); return new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, sessionName) .withStsClient(stsClient) @@ -322,8 +341,9 @@ STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String r STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String roleArn, String sessionName, String stsRegion, AWSCredentialsProvider credentials) { + EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard() - .withRegion(stsRegion) + .withEndpointConfiguration(endpointConfiguration) .withCredentials(credentials) .build(); @@ -336,8 +356,10 @@ STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String r String externalId, String sessionName, String stsRegion) { + + EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard() - .withRegion(stsRegion) + .withEndpointConfiguration(endpointConfiguration) .build(); return new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, sessionName) From 2052b624535fee9518cd8da0380e7e24760e0670 Mon Sep 17 00:00:00 2001 From: menuetb <83284881+menuetb@users.noreply.github.com> Date: Thu, 27 Apr 2023 12:25:28 +0200 Subject: [PATCH 2/5] Update MSKCredentialProvider.java Remove unecessary import --- .../amazon/msk/auth/iam/internals/MSKCredentialProvider.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java index 5133314..b709470 100644 --- a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java +++ b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java @@ -28,7 +28,6 @@ import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider; import com.amazonaws.auth.SystemPropertiesCredentialsProvider; import com.amazonaws.auth.WebIdentityTokenCredentialsProvider; -import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.retry.PredefinedBackoffStrategies; import com.amazonaws.retry.v2.AndRetryCondition; @@ -272,7 +271,7 @@ public int getMaxBackOffTimeMs() { public EndpointConfiguration buildEndpointConfiguration(String stsRegion){ //An AWSSecurityTokenService with a regional endpoint configuration EndpointConfiguration endpointConfiguration = - new AwsClientBuilder.EndpointConfiguration( + new EndpointConfiguration( String.format("sts.%s.amazonaws.com", stsRegion), stsRegion); //An AWSSecurityTokenService with a global endpoint configuration From 918731981ff55fe09a32f285549b603f5d28fa81 Mon Sep 17 00:00:00 2001 From: menuetb Date: Thu, 27 Apr 2023 17:59:07 +0200 Subject: [PATCH 3/5] add tests & remove unnesseray import --- .../iam/internals/MSKCredentialProviderTest.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/test/java/software/amazon/msk/auth/iam/internals/MSKCredentialProviderTest.java b/src/test/java/software/amazon/msk/auth/iam/internals/MSKCredentialProviderTest.java index ddecffc..412dc0a 100644 --- a/src/test/java/software/amazon/msk/auth/iam/internals/MSKCredentialProviderTest.java +++ b/src/test/java/software/amazon/msk/auth/iam/internals/MSKCredentialProviderTest.java @@ -23,6 +23,8 @@ import java.util.Map; import java.util.stream.Collectors; import java.util.stream.IntStream; + +import com.amazonaws.client.builder.AwsClientBuilder; import org.junit.jupiter.api.Test; import org.mockito.Mockito; @@ -312,6 +314,9 @@ STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String r assertEquals(TEST_ROLE_ARN, roleArn); assertEquals(TEST_ROLE_SESSION_NAME, sessionName); assertEquals("eu-west-1", stsRegion); + AwsClientBuilder.EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); + assertEquals("sts.eu-west-1.amazonaws.com", endpointConfiguration.getServiceEndpoint()); + return mockStsRoleProvider; } }; @@ -347,6 +352,9 @@ STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String r assertEquals(TEST_ROLE_EXTERNAL_ID, externalId); assertEquals(TEST_ROLE_SESSION_NAME, sessionName); assertEquals("eu-west-1", stsRegion); + AwsClientBuilder.EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); + assertEquals("sts.eu-west-1.amazonaws.com", endpointConfiguration.getServiceEndpoint()); + return mockStsRoleProvider; } }; @@ -381,6 +389,8 @@ STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String r String sessionName, String stsRegion) { assertEquals(TEST_ROLE_ARN, roleArn); assertEquals("aws-msk-iam-auth", sessionName); + AwsClientBuilder.EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); + assertEquals("sts.amazonaws.com", endpointConfiguration.getServiceEndpoint()); return mockStsRoleProvider; } }; @@ -537,6 +547,8 @@ STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String r String sessionName, String stsRegion) { assertEquals(TEST_ROLE_ARN, roleArn); assertEquals(s, sessionName); + AwsClientBuilder.EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); + assertEquals("sts.amazonaws.com", endpointConfiguration.getServiceEndpoint()); return mockStsRoleProvider; } }; @@ -550,6 +562,8 @@ STSAssumeRoleSessionCredentialsProvider createSTSRoleCredentialProvider(String r AWSCredentialsProvider credentials) { assertEquals(TEST_ROLE_ARN, roleArn); assertEquals(s, sessionName); + AwsClientBuilder.EndpointConfiguration endpointConfiguration = buildEndpointConfiguration(stsRegion); + assertEquals("sts.amazonaws.com", endpointConfiguration.getServiceEndpoint()); return mockStsRoleProvider; } }; From 4fc6c176a066ea7d71f536822404c64b3da7ea93 Mon Sep 17 00:00:00 2001 From: menuetb <83284881+menuetb@users.noreply.github.com> Date: Mon, 3 Jul 2023 16:49:05 +0200 Subject: [PATCH 4/5] use API to get ServiceEndpoint --- .../iam/internals/MSKCredentialProvider.java | 49 +++++++++---------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java index b709470..3fbd4bb 100644 --- a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java +++ b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java @@ -29,6 +29,8 @@ import com.amazonaws.auth.SystemPropertiesCredentialsProvider; import com.amazonaws.auth.WebIdentityTokenCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; +import com.amazonaws.regions.Region; +import com.amazonaws.regions.RegionUtils; import com.amazonaws.retry.PredefinedBackoffStrategies; import com.amazonaws.retry.v2.AndRetryCondition; import com.amazonaws.retry.v2.MaxNumberOfRetriesCondition; @@ -106,10 +108,10 @@ public MSKCredentialProvider(Map options) { } MSKCredentialProvider(List providers, - Boolean shouldDebugCreds, - String stsRegion, - int maxRetries, - int maxBackOffTimeMs) { + Boolean shouldDebugCreds, + String stsRegion, + int maxRetries, + int maxBackOffTimeMs) { List delegateList = new ArrayList<>(providers); delegateList.add(getDefaultProvider()); compositeDelegate = new AWSCredentialsProviderChain(delegateList); @@ -200,19 +202,19 @@ private void logCallerIdentity(AWSCredentials credentials) { AWSSecurityTokenService getStsClientForDebuggingCreds(AWSCredentials credentials) { return AWSSecurityTokenServiceClientBuilder.standard() - .withRegion(stsRegion) - .withCredentials(new AWSCredentialsProvider() { - @Override - public AWSCredentials getCredentials() { - return credentials; - } - - @Override - public void refresh() { - - } - }) - .build(); + .withRegion(stsRegion) + .withCredentials(new AWSCredentialsProvider() { + @Override + public AWSCredentials getCredentials() { + return credentials; + } + + @Override + public void refresh() { + + } + }) + .build(); } @Override @@ -269,18 +271,13 @@ public int getMaxBackOffTimeMs() { } public EndpointConfiguration buildEndpointConfiguration(String stsRegion){ - //An AWSSecurityTokenService with a regional endpoint configuration + Region region = RegionUtils.getRegion(stsRegion); + String serviceEndpoint = region.getServiceEndpoint("sts"); EndpointConfiguration endpointConfiguration = new EndpointConfiguration( - String.format("sts.%s.amazonaws.com", stsRegion), + String.format(serviceEndpoint, stsRegion), stsRegion); - //An AWSSecurityTokenService with a global endpoint configuration - if (stsRegion.equals("aws-global")) { - endpointConfiguration = - new EndpointConfiguration( - "sts.amazonaws.com", - stsRegion); - } + return endpointConfiguration; } From a3578861799407de1e06e76964d377141d9b0133 Mon Sep 17 00:00:00 2001 From: menuetb <83284881+menuetb@users.noreply.github.com> Date: Tue, 4 Jul 2023 14:31:48 +0200 Subject: [PATCH 5/5] Remove formatting --- .../iam/internals/MSKCredentialProvider.java | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java index 3fbd4bb..b69f3a7 100644 --- a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java +++ b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java @@ -108,10 +108,10 @@ public MSKCredentialProvider(Map options) { } MSKCredentialProvider(List providers, - Boolean shouldDebugCreds, - String stsRegion, - int maxRetries, - int maxBackOffTimeMs) { + Boolean shouldDebugCreds, + String stsRegion, + int maxRetries, + int maxBackOffTimeMs) { List delegateList = new ArrayList<>(providers); delegateList.add(getDefaultProvider()); compositeDelegate = new AWSCredentialsProviderChain(delegateList); @@ -202,19 +202,19 @@ private void logCallerIdentity(AWSCredentials credentials) { AWSSecurityTokenService getStsClientForDebuggingCreds(AWSCredentials credentials) { return AWSSecurityTokenServiceClientBuilder.standard() - .withRegion(stsRegion) - .withCredentials(new AWSCredentialsProvider() { - @Override - public AWSCredentials getCredentials() { - return credentials; - } + .withRegion(stsRegion) + .withCredentials(new AWSCredentialsProvider() { + @Override + public AWSCredentials getCredentials() { + return credentials; + } - @Override - public void refresh() { + @Override + public void refresh() { - } - }) - .build(); + } + }) + .build(); } @Override