Skip to content

Commit

Permalink
fix: making aws request signer get a new session token each time secu…
Browse files Browse the repository at this point in the history
…rity credentials are requested. (#1765)
  • Loading branch information
aeitzman authored Mar 5, 2024
1 parent 40c847f commit 6a6e496
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 7 deletions.
12 changes: 5 additions & 7 deletions src/auth/awsclient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ export class AwsClient extends BaseExternalAccountClient {
// The credential config contains all the URLs by default but clients may be running this
// where the metadata server is not available and returning the credentials through the environment.
// Removing this check may break them.
if (this.shouldUseMetadataServer() && this.imdsV2SessionTokenUrl) {
if (!this.regionFromEnv && this.imdsV2SessionTokenUrl) {
metadataHeaders['x-aws-ec2-metadata-token'] =
await this.getImdsV2SessionToken();
}
Expand All @@ -167,6 +167,10 @@ export class AwsClient extends BaseExternalAccountClient {
if (this.securityCredentialsFromEnv) {
return this.securityCredentialsFromEnv;
}
if (this.imdsV2SessionTokenUrl) {
metadataHeaders['x-aws-ec2-metadata-token'] =
await this.getImdsV2SessionToken();
}
// Since the role on a VM can change, we don't need to cache it.
const roleName = await this.getAwsRoleName(metadataHeaders);
// Temporary credentials typically last for several hours.
Expand Down Expand Up @@ -316,12 +320,6 @@ export class AwsClient extends BaseExternalAccountClient {
return response.data;
}

private shouldUseMetadataServer(): boolean {
// The metadata server must be used when either the AWS region or AWS security
// credentials cannot be retrieved through their defined environment variables.
return !this.regionFromEnv || !this.securityCredentialsFromEnv;
}

private get regionFromEnv(): string | null {
// The AWS region can be provided through AWS_REGION or AWS_DEFAULT_REGION.
// Only one is required.
Expand Down
1 change: 1 addition & 0 deletions test/test.awsclient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,7 @@ describe('AwsClient', () => {
reqheaders: {'x-aws-ec2-metadata-token-ttl-seconds': '300'},
})
.put('/latest/api/token')
.twice()
.reply(200, awsSessionToken)
);

Expand Down

0 comments on commit 6a6e496

Please sign in to comment.