-
Notifications
You must be signed in to change notification settings - Fork 193
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix default credential chain not respecting endpoint URL overrides (#…
…3873) ## Motivation and Context <!--- Why is this change required? What problem does it solve? --> <!--- If it fixes an open issue, please link to the issue here --> awslabs/aws-sdk-rust#1193 ## Description This PR fixes a customer reported bug where the default chain doesn't respect `AWS_ENDPOINT_URL`/`AWS_ENDPOINT_URL_<SERVICE>` environment variables or the equivalents in AWS shared config (`~/.aws/config`). This fix is a little nuanced and frankly gross but there isn't a better option that I can see right now that isn't way more invasive. The crux of the issue is that when we implemented support for this feature ([1](#3568), [2](#3493), [3](#3488)) we really only made it work for clients created via [`ConfigLoader::load()`](https://github.com/smithy-lang/smithy-rs/blob/release-2024-10-09/aws/rust-runtime/aws-config/src/lib.rs#L871). Internally the default chain credential provider constructs `STS` and `SSO` clients but it does so using [`ProviderConfig`](https://github.com/smithy-lang/smithy-rs/blob/release-2024-10-09/aws/rust-runtime/aws-config/src/provider_config.rs#L36) by mapping this to `SdkConfig` via [`ProviderConfig::client_config()`](https://github.com/smithy-lang/smithy-rs/blob/release-2024-10-09/aws/rust-runtime/aws-config/src/provider_config.rs#L199). This conversion is used in several places and it doesn't take any of the required logic into account to setup [`EnvServiceConfig`](https://github.com/smithy-lang/smithy-rs/blob/release-2024-10-09/aws/rust-runtime/aws-config/src/lib.rs#L859-L862) which is what generated SDK's ultimately use to figure out the endpoint URL from either environment/profile ([example client](https://github.com/awslabs/aws-sdk-rust/blob/release-2024-10-09/sdk/sts/src/config.rs#L1214-L1221) which ultimately ends up in `EnvServiceConfig` [here](https://github.com/smithy-lang/smithy-rs/blob/release-2024-10-09/aws/rust-runtime/aws-config/src/env_service_config.rs#L18)). The fix applied here is nuanced in that we update the conversion to provide a `EnvServiceConfig` but it relies on the profile to have been parsed already or else you'll get an empty/default profile. This generally works for the profile provider since the first thing we do is load the profile but in isolation it may not work as expected. I've added tests for STS to cover all cases but SSO credentials and token providers do NOT currently respect shared config endpoint URL keys. Fixing this is possible but involved since we require an `async` context to ensure a profile is loaded already and in many places where we construct `SdkConfig` from `ProviderConfig` we are in non async function. ## Testing Tested repro + additional integration tests ## Future This does _not_ fix awslabs/aws-sdk-rust#1194 which was discovered as a bug/gap. Fixing it would be outside the scope of this PR. SSO/token provider is instantiated sometimes before we have parsed a profile. This PR definitely fixes the STS provider for all configuration scenarios but the SSO related client usage may still have some edge cases when configured via profiles since we often instantiate them before parsing a profile. When we surveyed other SDKs there were several that failed to respect these variables and haven't received issues around this which leads me to believe this isn't likely a problem in practice (most likely due to SSO being used in local development most often where redirecting that endpoint doesn't make much sense anyway). ## Checklist - [X] For changes to the AWS SDK, generated SDK code, or SDK runtime crates, I have created a changelog entry Markdown file in the `.changelog` directory, specifying "aws-sdk-rust" in the `applies_to` key. ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._
- Loading branch information
Showing
34 changed files
with
892 additions
and
195 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
applies_to: | ||
- aws-sdk-rust | ||
authors: | ||
- aajtodd | ||
references: | ||
- aws-sdk-rust#1193 | ||
breaking: false | ||
new_feature: false | ||
bug_fix: true | ||
--- | ||
Fix default credential provider chain not respecting endpoint URL overrides from environment |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
[package] | ||
name = "aws-config" | ||
version = "1.5.8" | ||
version = "1.5.9" | ||
authors = [ | ||
"AWS Rust SDK Team <[email protected]>", | ||
"Russell Cohen <[email protected]>", | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
...untime/aws-config/test-data/profile-provider/assume_role_override_global_env_url/env.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
{ | ||
"HOME": "/home", | ||
"AWS_ENDPOINT_URL": "http://aws.global-env-override" | ||
} |
7 changes: 7 additions & 0 deletions
7
...config/test-data/profile-provider/assume_role_override_global_env_url/fs/home/.aws/config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
[default] | ||
region = us-east-1 | ||
role_arn = arn:aws:iam::123456789:role/integration-test | ||
source_profile = base | ||
|
||
[profile base] | ||
region = us-east-1 |
3 changes: 3 additions & 0 deletions
3
...g/test-data/profile-provider/assume_role_override_global_env_url/fs/home/.aws/credentials
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[base] | ||
aws_access_key_id = AKIAFAKE | ||
aws_secret_access_key = FAKE |
107 changes: 107 additions & 0 deletions
107
...s-config/test-data/profile-provider/assume_role_override_global_env_url/http-traffic.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
{ | ||
"events": [ | ||
{ | ||
"connection_id": 0, | ||
"action": { | ||
"Request": { | ||
"request": { | ||
"uri": "http://aws.global-env-override", | ||
"headers": { | ||
"content-type": [ | ||
"application/x-www-form-urlencoded" | ||
], | ||
"authorization": [ | ||
"AWS4-HMAC-SHA256 Credential=AKIAFAKE/20210810/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-user-agent, Signature=cd5cb2aa1d20717ca17692bcbda711797ae9eb8bb1130690b021b3952b7ae56e" | ||
], | ||
"user-agent": [ | ||
"aws-sdk-rust/0.1.0 os/macos lang/rust/1.55.0-nightly" | ||
], | ||
"content-length": [ | ||
"146" | ||
], | ||
"x-amz-date": [ | ||
"20210810T003833Z" | ||
], | ||
"host": [ | ||
"aws.global-env-override" | ||
], | ||
"x-amz-user-agent": [ | ||
"aws-sdk-rust/0.1.0 api/sts/0.0.14-alpha os/macos lang/rust/1.55.0-nightly" | ||
] | ||
}, | ||
"method": "POST" | ||
} | ||
} | ||
} | ||
}, | ||
{ | ||
"connection_id": 0, | ||
"action": { | ||
"Data": { | ||
"data": { | ||
"Utf8": "Action=AssumeRole&Version=2011-06-15&RoleArn=arn%3Aaws%3Aiam%3A%3A123456789%3Arole%2Fintegration-test&RoleSessionName=assume-role-provider-session" | ||
}, | ||
"direction": "Request" | ||
} | ||
} | ||
}, | ||
{ | ||
"connection_id": 0, | ||
"action": { | ||
"Eof": { | ||
"ok": true, | ||
"direction": "Request" | ||
} | ||
} | ||
}, | ||
{ | ||
"connection_id": 0, | ||
"action": { | ||
"Response": { | ||
"response": { | ||
"Ok": { | ||
"status": 200, | ||
"version": "HTTP/1.1", | ||
"headers": { | ||
"date": [ | ||
"Thu, 05 Aug 2021 18:58:02 GMT" | ||
], | ||
"content-length": [ | ||
"1491" | ||
], | ||
"content-type": [ | ||
"text/xml" | ||
], | ||
"x-amzn-requestid": [ | ||
"c2e971c2-702d-4124-9b1f-1670febbea18" | ||
] | ||
} | ||
} | ||
} | ||
} | ||
} | ||
}, | ||
{ | ||
"connection_id": 0, | ||
"action": { | ||
"Data": { | ||
"data": { | ||
"Utf8": "<AssumeRoleResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n <AssumeRoleResult>\n <AssumedRoleUser>\n <AssumedRoleId>AROARABCDEFGHIJKLMNOP:assume-role-provider-session</AssumedRoleId>\n <Arn>arn:aws:sts::123456789012:assumed-role/integration-test/assume-role-provider-session</Arn>\n </AssumedRoleUser>\n <Credentials>\n <AccessKeyId>ASIARTESTID</AccessKeyId>\n <SecretAccessKey>TESTSECRETKEY</SecretAccessKey>\n <SessionToken>TESTSESSIONTOKEN</SessionToken>\n <Expiration>2021-08-05T19:58:02Z</Expiration>\n </Credentials>\n </AssumeRoleResult>\n <ResponseMetadata>\n <RequestId>c2e971c2-702d-4124-9b1f-1670febbea18</RequestId>\n </ResponseMetadata>\n</AssumeRoleResponse>\n" | ||
}, | ||
"direction": "Response" | ||
} | ||
} | ||
}, | ||
{ | ||
"connection_id": 0, | ||
"action": { | ||
"Eof": { | ||
"ok": true, | ||
"direction": "Response" | ||
} | ||
} | ||
} | ||
], | ||
"docs": "standard request / response with STS", | ||
"version": "V0" | ||
} |
12 changes: 12 additions & 0 deletions
12
.../aws-config/test-data/profile-provider/assume_role_override_global_env_url/test-case.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"name": "assume-role-override-global-env-url", | ||
"docs": "override AWS_ENDPOINT_URL via environment", | ||
"result": { | ||
"Ok": { | ||
"access_key_id": "ASIARTESTID", | ||
"secret_access_key": "TESTSECRETKEY", | ||
"session_token": "TESTSESSIONTOKEN", | ||
"expiry": 1628193482 | ||
} | ||
} | ||
} |
3 changes: 3 additions & 0 deletions
3
...me/aws-config/test-data/profile-provider/assume_role_override_global_profile_url/env.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"HOME": "/home" | ||
} |
8 changes: 8 additions & 0 deletions
8
...ig/test-data/profile-provider/assume_role_override_global_profile_url/fs/home/.aws/config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
[default] | ||
region = us-east-1 | ||
role_arn = arn:aws:iam::123456789:role/integration-test | ||
source_profile = base | ||
endpoint_url = http://aws.global-profile-override | ||
|
||
[profile base] | ||
region = us-east-1 |
3 changes: 3 additions & 0 deletions
3
...st-data/profile-provider/assume_role_override_global_profile_url/fs/home/.aws/credentials
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[base] | ||
aws_access_key_id = AKIAFAKE | ||
aws_secret_access_key = FAKE |
Oops, something went wrong.