Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Salt does not include security tokens with requests to s3 in 2015.8 #26345

Closed
TronPaul opened this issue Aug 15, 2015 · 3 comments
Closed

Salt does not include security tokens with requests to s3 in 2015.8 #26345

TronPaul opened this issue Aug 15, 2015 · 3 comments
Labels
Bug broken, incorrect, or confusing behavior P3 Priority 3 RIoT Relates to integration with cloud providers, hypervisors, API-based services, etc. Salt-Cloud
Milestone
Approved

Comments

@TronPaul
Copy link
Contributor

Version: 2015.8.0rc3-44-gc604527

If you are running salt in AWS and are using IAM roles, salt will not use the security_token in s3 requests.

    if not key or not keyid:
        iam_creds = iam.get_iam_metadata()
        key = iam_creds['secret_key']
        keyid = iam_creds['access_key']

    if not requesturl:
        requesturl = 'https://{0}/{1}'.format(endpoint, path)
        headers, requesturl = salt.utils.aws.sig4(
            method,
            endpoint,
            params,
            data=data,
            uri='/{0}'.format(path),
            prov_dict={'id': keyid, 'key': key},
            location=location,
            product='s3',
            requesturl=requesturl,
        )
@TronPaul TronPaul changed the title Salt does not include security tokens with requests to s3 Salt does not include security tokens with requests to s3 in 2015.8 Aug 15, 2015
@TronPaul
Copy link
Contributor Author

Digging deeper it seems salt.utils.aws.creds expects IROLE_CODE as either the access_key or the secret_key to return a security token back to salt.utils.aws.sig4. However s3 is calling iam itself to get the access_key and secret_key, but doesn't use the security_token.

Should salt.utils.s3 be passing in credentials in the IAM case? It seems salt.utils.aws.sig4 doesn't expect it to.

@TronPaul
Copy link
Contributor Author

Looks to be broken by c63c235.

@TronPaul TronPaul mentioned this issue Aug 15, 2015
Merged
@jfindlay jfindlay added Bug broken, incorrect, or confusing behavior Salt-Cloud P3 Priority 3 RIoT Relates to integration with cloud providers, hypervisors, API-based services, etc. labels Aug 17, 2015
@jfindlay jfindlay added this to the Approved milestone Aug 17, 2015
@jfindlay
Copy link
Contributor

@TronPaul, thanks for your work on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior P3 Priority 3 RIoT Relates to integration with cloud providers, hypervisors, API-based services, etc. Salt-Cloud
Projects
None yet
Milestone
Approved
Development

No branches or pull requests
2 participants
@TronPaul @jfindlay