-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update S3 pre-signed credentials logic #10265
Conversation
S3 Image Test Results (AMD64 / ARM64) 2 files 2 suites 3m 11s ⏱️ Results for commit 792008e. ♻️ This comment has been updated with latest results. |
""" | ||
from moto.iam.models import AccessKey, iam_backends | ||
|
||
account_id = get_account_id_from_access_key_id(access_key_id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Is it possible to use STS:GetSessionToken
at this point and obtain the access key ID + secret access key programatically?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so, I think GetSessionToken
returns a set of temporary credentials which will be then be different than what was used to signed the request on the client side.
I think you would also need to create the client for STS with the Access Key ID and the Secret Access Key of the client used to sign the request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This made me think of @dfangl hackathon, where he must had to implement a similar logic to validate the signature of every request:
f758364
And I guess it was the same issue, about having credentials that are set in LocalStack.
So I'm just not sure about the reverse of the access key id <-> account id to access the store, or if I need to iterate in the same way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There seems to be no API for getting the secret key, so I think this is the best way for now :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding this @bentsku, another step towards improving our test strategy 🙌
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only really looked at the IAM/STS stuff, but looks good! Sadly there is no better way as far as I know :)
Motivation
Currently in LocalStack, in order to use pre-signed URLs while validating the signature (with
S3_SKIP_SIGNATURE_VALIDATION
set to false), the user needs to set hardcoded credentials:test
/test
.This is due to the fact that we did not retrieve the Secret Access Key linked to the sent Access Key Id, which is needed to take the incoming request server side, sign it as well and compare with the received signature.
We also used the
TEST_AWS*
credentials to generate the signature server side, which was a way for our test to always work as those are hardcoded.Changes
test
, so that we can properly validate pre-signed URL even the user does not provide credentials that actually exists in LocalStack.Note: as we can use random Access Keys in LocalStack without having them being created in IAM, most of the time we won't be able to retrieve the secret key, and will need to fallback to the
test
secret access key.However, we now support passing proper existing credentials and having the handler properly validate them.
\cc @dfangl as I'm directly accessing IAM internals, not sure what is your opinion on this, and if it can be done any other way?