fix: making aws request signer get a new session token each time #1765
Conversation
…rity credentials are requested.
aeitzman
added
the
owlbot:run
gcf-owl-bot
bot
removed
the
owlbot:run
| @@ -155,7 +155,7 @@ export class AwsClient extends BaseExternalAccountClient { | |||
| // The credential config contains all the URLs by default but clients may be running this | |||
| // where the metadata server is not available and returning the credentials through the environment. | |||
| // Removing this check may break them. | |||
| if (this.shouldUseMetadataServer() && this.imdsV2SessionTokenUrl) { | |||
| if (!this.regionFromEnv && this.imdsV2SessionTokenUrl) { | |||
There was a problem hiding this comment.
If region is provided by the environment, but security credentials are not, we still need to get a session token and call MDS. I see that it still works because you've added a new check below, but this makes this function more confusing to me.
Can we keep the original function (shouldUseMetadataServer()) and make other changes? e.g. not sure if there is any benefit of not creating a new request signer on each call - doing that would simply things.
There was a problem hiding this comment.
This is all going to get refactored in the next month or so anyway (when the suppliers get added as part of the programmatic auth change), I was just making this small change as a temporary fix since it seems to be blocking some people. I would rather worry about it then vs making this change larger, let me know what you think
fixes #1755