PR feedback

awslabs · May 16, 2024 · 1cd411a · 1cd411a
1 parent b7b5e99
commit 1cd411a
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 10 deletions.
diff --git a/include/aws/auth/credentials.h b/include/aws/auth/credentials.h
@@ -234,12 +234,8 @@ struct aws_credentials_provider_imds_options {
  *
  *`AWS_CONTAINER_CREDENTIALS_FULL_URI` URL must satisfy one of the following:
  *  1. The URL begins with `https`.
- *  2. The URL refers to an allowed IP address. If a URL contains a domain name instead of an IP address,
- *      a DNS lookup will be performed. All resolved IP addresses must refer to an allowed IP address, or
- *      the credentials provider will return `AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST`. Valid IP addresses are:
- *          a) Within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128)
- *          b) The ECS container address (169.254.170.2)
- *          c) EKS Pod Identity address (169.254.170.23 or fd00:ec2::23)
+ *  2. The resolved IP address is within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128), ECS container address
+ *     (169.254.170.2), or EKS Pod Identity address (169.254.170.23 or fd00:ec2::23).
  *
  * For the Authorization token, there are two ways (in order of priority):
  * 1. AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE (an env var which contains the absolute path to the token file. The file

diff --git a/source/credentials_provider_ecs.c b/source/credentials_provider_ecs.c
@@ -470,10 +470,10 @@ static void s_ecs_on_acquire_connection(struct aws_http_connection *connection,
  * 2. corresponds to the ECS container host 169.254.170.2
  * 3. corresponds to the EKS container host IPs (IPv4 169.254.170.23, IPv6 fd00:ec2::23)
  */
-static bool s_is_valid_remote_host_ip(struct aws_host_address *host_address_ptr) {
+static bool s_is_valid_remote_host_ip(const struct aws_host_address *host_address) {
     bool result = false;
-    struct aws_byte_cursor address = aws_byte_cursor_from_string(host_address_ptr->address);
-    if (host_address_ptr->record_type == AWS_ADDRESS_RECORD_TYPE_A) {
+    struct aws_byte_cursor address = aws_byte_cursor_from_string(host_address->address);
+    if (host_address->record_type == AWS_ADDRESS_RECORD_TYPE_A) {
         const struct aws_byte_cursor ipv4_loopback_address_prefix = aws_byte_cursor_from_c_str("127.");
         const struct aws_byte_cursor ecs_container_host_address = aws_byte_cursor_from_c_str("169.254.170.2");
         const struct aws_byte_cursor eks_container_host_address = aws_byte_cursor_from_c_str("169.254.170.23");
@@ -482,7 +482,7 @@ static bool s_is_valid_remote_host_ip(struct aws_host_address *host_address_ptr)
         result |= aws_byte_cursor_eq(&address, &ecs_container_host_address);
         result |= aws_byte_cursor_eq(&address, &eks_container_host_address);
 
-    } else if (host_address_ptr->record_type == AWS_ADDRESS_RECORD_TYPE_AAAA) {
+    } else if (host_address->record_type == AWS_ADDRESS_RECORD_TYPE_AAAA) {
         /* Check for both the short form and long form of an IPv6 address to be safe. */
         const struct aws_byte_cursor ipv6_loopback_address = aws_byte_cursor_from_c_str("::1");
         const struct aws_byte_cursor ipv6_loopback_address_verbose = aws_byte_cursor_from_c_str("0:0:0:0:0:0:0:1");