Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: making aws request signer get a new session token each time #1765

Merged
merged 1 commit into from
Mar 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 5 additions & 7 deletions src/auth/awsclient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ export class AwsClient extends BaseExternalAccountClient {
// The credential config contains all the URLs by default but clients may be running this
// where the metadata server is not available and returning the credentials through the environment.
// Removing this check may break them.
if (this.shouldUseMetadataServer() && this.imdsV2SessionTokenUrl) {
if (!this.regionFromEnv && this.imdsV2SessionTokenUrl) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If region is provided by the environment, but security credentials are not, we still need to get a session token and call MDS. I see that it still works because you've added a new check below, but this makes this function more confusing to me.

Can we keep the original function (shouldUseMetadataServer()) and make other changes? e.g. not sure if there is any benefit of not creating a new request signer on each call - doing that would simply things.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is all going to get refactored in the next month or so anyway (when the suppliers get added as part of the programmatic auth change), I was just making this small change as a temporary fix since it seems to be blocking some people. I would rather worry about it then vs making this change larger, let me know what you think

metadataHeaders['x-aws-ec2-metadata-token'] =
await this.getImdsV2SessionToken();
}
Expand All @@ -167,6 +167,10 @@ export class AwsClient extends BaseExternalAccountClient {
if (this.securityCredentialsFromEnv) {
return this.securityCredentialsFromEnv;
}
if (this.imdsV2SessionTokenUrl) {
metadataHeaders['x-aws-ec2-metadata-token'] =
await this.getImdsV2SessionToken();
}
// Since the role on a VM can change, we don't need to cache it.
const roleName = await this.getAwsRoleName(metadataHeaders);
// Temporary credentials typically last for several hours.
Expand Down Expand Up @@ -316,12 +320,6 @@ export class AwsClient extends BaseExternalAccountClient {
return response.data;
}

private shouldUseMetadataServer(): boolean {
// The metadata server must be used when either the AWS region or AWS security
// credentials cannot be retrieved through their defined environment variables.
return !this.regionFromEnv || !this.securityCredentialsFromEnv;
}

private get regionFromEnv(): string | null {
// The AWS region can be provided through AWS_REGION or AWS_DEFAULT_REGION.
// Only one is required.
Expand Down
1 change: 1 addition & 0 deletions test/test.awsclient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,7 @@ describe('AwsClient', () => {
reqheaders: {'x-aws-ec2-metadata-token-ttl-seconds': '300'},
})
.put('/latest/api/token')
.twice()
.reply(200, awsSessionToken)
);

Expand Down
Loading