Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use the set endpoint to get the assume role credentials #108

Merged
merged 1 commit into from
Jan 2, 2024
Merged

Don't use the set endpoint to get the assume role credentials #108

merged 1 commit into from
Jan 2, 2024

Conversation

iwysiu
Copy link
Contributor

@iwysiu iwysiu commented Dec 15, 2023

In https://github.com/grafana/support-escalations/issues/8225 and grafana/athena-datasource#296 a bug was reported regarding authentication with an endpoint and assume role. The problem was that we were setting the endpoint for the Athena service on the session that we were passing to the STS service to fetch the credentials.

Under the assumption that a user who wants to use a FIPS endpoint for a service would want to use a FIPS endpoint to get the assume role credentials, I added a function to check whether the endpoint is a FIPS endpoint and return the correct endpoint. I'm not sure that this is correct to do since I was reading that there are no real rules for how AWS endpoints are named (though from what I can tell, all the fips endpoints we'd expect would be caught by this), and I'm not sure if the users actually care if the credentials are fetched with FIPS or if that just applies to their data.

@iwysiu iwysiu marked this pull request as ready for review December 15, 2023 19:59
@iwysiu iwysiu requested a review from a team as a code owner December 15, 2023 19:59
@iwysiu iwysiu mentioned this pull request Dec 15, 2023
Closed
sarahzinger
sarahzinger reviewed Dec 18, 2023
View reviewed changes
pkg/awsds/sessions.go
@@ -319,3 +324,30 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) {

return sess, nil
}

// getSTSEndpoint checks if the set endpoint is a fips endpoint, and if so, returns the STS fips endpoint for the same region
func getSTSEndpoint(endpoint string) string {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no idea if this is helpful but there is an Endpoints package in aws-sdk-go I wonder if it has something for this? https://docs.aws.amazon.com/sdk-for-go/api/aws/endpoints/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately they don't have a helper for checking if something is a fips endpoint 😞 I think I checked and there wasn't a helper for gettting the service from a string either.

@iwysiu iwysiu changed the title Fix assuming a role with an endpoint set Don't use the set endpoint to get the assume role credentials Jan 2, 2024
@iwysiu iwysiu merged commit 838b57a into main Jan 2, 2024
3 checks passed
@iwysiu iwysiu deleted the assumeRole-and-endpoint branch January 2, 2024 15:32
@wywywywy wywywywy mentioned this pull request May 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarahzinger sarahzinger sarahzinger approved these changes

@idastambuk idastambuk idastambuk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@iwysiu @sarahzinger @idastambuk