diff --git a/source/credentials_provider_ecs.c b/source/credentials_provider_ecs.c index 2c90f849..b36e6f84 100644 --- a/source/credentials_provider_ecs.c +++ b/source/credentials_provider_ecs.c @@ -465,7 +465,7 @@ static void s_ecs_on_acquire_connection(struct aws_http_connection *connection, } /* - * The host must use either HTTPS or the resolved IP address must satisfy one of the following: + * The resolved IP address must satisfy one of the following: * 1. within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128) * 2. corresponds to the ECS container host 169.254.170.2 * 3. corresponds to the EKS container host IPs (IPv4 169.254.170.23, IPv6 fd00:ec2::23) @@ -525,7 +525,6 @@ static void s_on_host_resolved( if (!host_addresses_len) { goto on_error; } - AWS_FATAL_ASSERT(host_addresses_len > 0); for (size_t i = 0; i < host_addresses_len; ++i) { struct aws_host_address *host_address_ptr = NULL; aws_array_list_get_at_ptr(host_addresses, (void **)&host_address_ptr, i); @@ -547,7 +546,6 @@ static void s_on_host_resolved( aws_error_str(AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST)); ecs_user_data->error_code = AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST; s_ecs_finalize_get_credentials_query(ecs_user_data); - return; } static int s_credentials_provider_ecs_get_credentials_async( @@ -565,6 +563,7 @@ static int s_credentials_provider_ecs_get_credentials_async( if (wrapped_user_data == NULL) { goto error; } + /* No need to verify the host IP address if the connection is using HTTPS or a relative URI with an ECS host. */ if (impl->is_https || aws_string_eq(impl->host, s_ecs_host)) { impl->function_table->aws_http_connection_manager_acquire_connection( impl->connection_manager, s_ecs_on_acquire_connection, wrapped_user_data); diff --git a/tests/credentials_provider_ecs_tests.c b/tests/credentials_provider_ecs_tests.c index 948978fc..dbe4bddb 100644 --- a/tests/credentials_provider_ecs_tests.c +++ b/tests/credentials_provider_ecs_tests.c @@ -848,8 +848,8 @@ static int s_credentials_provider_ecs_basic_success_uri_env(struct aws_allocator }, /* auth token is properly set */ { - .full_uri = "http://127.1.2.3:8080/credentials", - .expected_uri = "http://127.1.2.3:8080/credentials", + .full_uri = "http://127.0.0.1:8080/credentials", + .expected_uri = "http://127.0.0.1:8080/credentials", .auth_token = "testToken", .expected_auth_token = "testToken", }, @@ -862,19 +862,34 @@ static int s_credentials_provider_ecs_basic_success_uri_env(struct aws_allocator }, /* auth_token_file_path is respected */ { - .full_uri = "http://169.254.170.23:8080/credentials", - .expected_uri = "http://169.254.170.23:8080/credentials", + .full_uri = "http://127.0.0.1:8080/credentials", + .expected_uri = "http://127.0.0.1:8080/credentials", .auth_token_file_content = "testToken", .expected_auth_token = "testToken", }, /* auth_token_file_path is preferred */ { - .full_uri = "http://169.254.170.2:8080/credentials", - .expected_uri = "http://169.254.170.2:8080/credentials", + .full_uri = "http://127.0.0.1:8080/credentials", + .expected_uri = "http://127.0.0.1:8080/credentials", .auth_token = "BadToken", .auth_token_file_content = "testToken", .expected_auth_token = "testToken", }, + /* IPv4 loopback address*/ + { + .full_uri = "http://127.1.2.3:8080/credentials", + .expected_uri = "http://127.1.2.3:8080/credentials", + }, + /* IPv4 EKS container host address */ + { + .full_uri = "http://169.254.170.23:8080/credentials", + .expected_uri = "http://169.254.170.23:8080/credentials", + }, + /* IPv4 ECS container host address */ + { + .full_uri = "http://169.254.170.2:8080/credentials", + .expected_uri = "http://169.254.170.2:8080/credentials", + }, /* IPv6 loopback address */ { .full_uri = "http://[::1]:8080/credentials",