How to run an assumeRoleWithWebIdentity request without an Env?

[jwoudenberg]

Hi there! Thank you for these libraries, they've been super useful!

I have a question I was hoping someone might be able to help with. I've seen references in other issues from people who mention having done the same thing, so I'm pretty sure it's possible, and I'm probably overlooking something obvious.

I'd like to fetch temporary credentials using amazonka-sts assumeRoleWithWebIdentity, then use those credentials for subsequent requests to other AWS api's. I think I understand how to create an Env once I have an assumeRoleWithWebIdentity response. What I can't figure out is how to send the assumeRoleWithWebIdentity request itself. I don't have credentials yet, that's what I'm running assumeRoleWithWebIdentity for, but it looks like the assumeRoleWithWebIdentity request requires an Env to be set up like every other amazonka request. How do I bootstrap myself?

Any help would be super appreciated!

[jwoudenberg]

I'm sorry, I made a mistake in this post: I'm looking to run the assumeRoleWithWebIdentity function which only takes a web identity token, not assumeRole which does require a full set of credentials.

The question remains the same though: is there a way to run a AssumeRoleWithWebIdentity without an existing set of credentials?

[Fuuzetsu]

Please see the code in #602 (comment)

This still uses Env: this is needed for things like region information and so on anyway.

I have initially made a newtype wrapper over AssumeRoleWithWebIdentity that overwrote the service signer field to not alter the request but it turns out that this is completely unnecessary. You can simply send a signed request with some bogus (empty) credentials and AWS seems to accept it:

    let getCredentials = do
            token <- T.readFile tokenFile
            let assumeWeb = STS.assumeRoleWithWebIdentity
                    roleArn sessionName token
            env <- do
                -- Ideally, we want to make an unsigned request as the whole
                -- point of web identity is that we do not have any credentials
                -- to start with. It turns out that it's fine to simply provide
                -- empty set of credentials however and AWS seems to ignore them
                -- which is exactly what we want.
                e <- AWS.newEnvWith
                    (AWS.FromKeys (AWS.AccessKey mempty) (AWS.SecretKey mempty))
                    (Just False)
                    httpManager
                pure $! case region of
                    Nothing -> e
                    Just r -> e & AWS.envRegion .~ r
            m'credentials <- AWS.runResourceT . AWS.runAWS env $ do
                view STS.arwwirsCredentials <$> AWS.send assumeWeb
            case m'credentials of
                Nothing -> fail "Could not obtain credentials via web identity."
                Just c -> pure c

[endgame]

It might be worth eventually shoehorning a Maybe in somewhere so that you don't have to pass in the mempty access key id/secret access key, but since the workaround works let's defer thinking about it until after 2.0.

This probably would also be useful for things like bucket policies with "Principal": "*".

[endgame]

A new Credentials constructor provides this functionality, but I forgot to close this issue.