New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better support for permissions-restricted (IAM) environments on AWS #223
Conversation
Hoping someone can help me with that.
Thanks! I'm going to add more comments, but for testing that the token is present you should add a test case to the For example, you could set MockHttp.type inside E.g. def _TOKEN(self, method, url, body, headers):
self.assertEqual(headers['x-amz-security-token'], ...)
... |
@@ -55,7 +55,7 @@ class Object(object): | |||
""" | |||
|
|||
def __init__(self, name, size, hash, extra, meta_data, container, | |||
driver): | |||
driver, acl=None): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since not all of the providers support ACLs, I'd rather put this inside the extra
dictionary.
The headers passed in there don't seem to contain any auth-related parameters. (Pdb) headers
{'Host': 's3.amazonaws.com', 'Accept-Encoding': 'gzip,deflate', 'User-Agent': 'libcloud/0.14.0-beta3 (Amazon S3 (standard)) '} |
@coderanger Oh, right, I totally missed this out. Rest of the values get sent as part of query parameters and not via headers. This means the code needs to be updated to send Edit: While we are at it, it would also be good to check it they might support sending this value via query parameters as well (I quickly glanced over the documentation and I could see this value being sent via headers). |
Still need to double check that Amazon actually works with this style of sending the token, will do that in a moment. |
…ers under the hood. This will behave correctly with restricted IAM permissions.
def add_default_params(self, params): | ||
# Even though we are adding it to the headers, we need it here too | ||
# so that the token is added to the signature. | ||
if self.token: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, are you sure that the token also needs to be taken into account when calculating the signature?
From the documentation (http://docs.aws.amazon.com/STS/latest/UsingSTS/using-temp-creds.html):
"Include the IAM session token that is part of the temporary security credentials. You include the session token as an authorization header to the request—for example, as the X-Amz-Security-Token header. (The session token is not part of the information that's used to create the signature.)"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, not because it has special meaning but because you need to sign either all params or all x-amz headers (depending on the type of request).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see.
Did you test the whole patch with a live installation yet?
In any case, the patch looks good to me. I'll go ahead and test it and if everything looks good, I'll go ahead and merge it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, tested via depot with both normal and temporary credentials.
Alright, I've squashed the commits and merged changes into trunk - thanks! Tomorrow, I also plan to update documentation with some examples of how to use this new functionality. |
This addresses two issues I filed (LIBCLOUD-497, LIBCLOUD-498).
It adds:
extra={'acl': '...'}
token=
keyword argument on S3 driver (and can be easily added to other AWS drivers) to include the AWS Security Token param/header, which is required when using IAM role-provider credentials or other temporary AS credentials.get_container
on S3 no longer calllist_containers
and otherwise work correctly in an environment with highly restricted permissions. This is a (minorly) backwards incompatible change as `get_container will no longer load the creation time of the bucket. This is not of huge importance, but should be mentioned in the release notes.