Skip to content

Add STS assume role and web identity credential providers #352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 20, 2021
Merged

Add STS assume role and web identity credential providers #352

merged 7 commits into from
Oct 20, 2021

Conversation

@kggilmer
Copy link
Contributor

@kggilmer kggilmer commented Oct 19, 2021

Issue #

#325
#19

Description of changes

  • Provide SDK types for aws-crt-kotlin credential providers: sts assume role and sts web identity

Scope

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@kggilmer kggilmer requested review from aajtodd and ianbotsf October 19, 2021 23:34
@kggilmer
Copy link
Contributor Author

kggilmer commented Oct 19, 2021

I didn't setup the cross-repo branches for this so the aws-crt-kotlin change will need to be merged before CI will pass.

aajtodd
aajtodd approved these changes Oct 20, 2021
View reviewed changes
...onfig/common/src/aws/sdk/kotlin/runtime/auth/credentials/StsAssumeRoleCredentialsProvider.kt Outdated
*/
public class StsAssumeRoleCredentialsProvider public constructor(
credentialsProvider: CredentialsProvider,
roleArn: String? = null,
Copy link
Contributor

@aajtodd aajtodd Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correctness

Aren't some of these required? If so I think we should make them required arguments.

Copy link
Contributor Author

@kggilmer kggilmer Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good catch.

...onfig/common/src/aws/sdk/kotlin/runtime/auth/credentials/StsAssumeRoleCredentialsProvider.kt Outdated
}

// Adapt SDK credential provider to CRT version
internal fun adapt(credentialsProvider: CredentialsProvider): CredentialsProviderCrt =
Copy link
Contributor

@aajtodd aajtodd Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sigh the amount of layers here is painful and admittedly hard to follow at times (nothing you did wrong of course)

ianbotsf
ianbotsf requested changes Oct 20, 2021
View reviewed changes
...onfig/common/src/aws/sdk/kotlin/runtime/auth/credentials/StsAssumeRoleCredentialsProvider.kt Outdated
Comment on lines 38 to 49
// Adapt SDK credential provider to CRT version
internal fun CredentialsProvider.toCrtCredentialsProvider(): CredentialsProviderCrt =
object : CredentialsProviderCrt {
override fun close() { }

override suspend fun getCredentials(): Credentials {
val credentials = this@toCrtCredentialsProvider.getCredentials()
return Credentials(credentials.accessKeyId, credentials.secretAccessKey, credentials.sessionToken)
}

override suspend fun waitForShutdown() { }
}
Copy link
Contributor

@ianbotsf ianbotsf Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: Doesn't this already exist as CredentialsProviderCrtProxy?

Copy link
Contributor Author

@kggilmer kggilmer Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It surely does, nice catch

ianbotsf
ianbotsf reviewed Oct 20, 2021
View reviewed changes
...onfig/common/src/aws/sdk/kotlin/runtime/auth/credentials/StsAssumeRoleCredentialsProvider.kt Outdated
override val crtProvider: StsAssumeRoleCredentialsProviderCrt = StsAssumeRoleCredentialsProviderCrt.build {
clientBootstrap = SdkDefaultIO.ClientBootstrap
tlsContext = SdkDefaultIO.TlsContext
this.credentialsProvider = CredentialsProviderCrtProxy(credentialsProvider)
Copy link
Contributor

@ianbotsf ianbotsf Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment: Now that I'm looking at the usage of the CRT proxy a little closer I believe there may be room for improvement. We've got CrtCredentialsProvider for wrapping CRT in SDK and we've got CredentialsProviderCrtProxy for wrapping SDK in CRT. But if someone passes in a CrtCredentialsProvider to this STS impl, we don't need to re-wrap it as CRT...we can just unwrap it from SDK right?

I think we may need a new helper method in CrtCredentialUtils.kt:

internal fun asCrt(sdkProvider: CredentialsProvider): CredentialsProviderCrt = when (sdkProvider) {
    is CrtCredentialsProvider -> sdkProvider.crtProvider
    else -> CredentialsProviderCrtProxy(sdkProvider)
}

@kggilmer kggilmer merged commit dbde5bd into main Oct 20, 2021
@kggilmer kggilmer deleted the feat-sts-credential-providers branch October 20, 2021 23:06
This was referenced Oct 25, 2021
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianbotsf ianbotsf ianbotsf approved these changes

+1 more reviewer

@aajtodd aajtodd aajtodd approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kggilmer @aajtodd @ianbotsf