Skip to content

Commit 00558c5

Browse files
abmussaniabmussani
committed
use verification client for better logging.
SDK has changed the error if the provided Id is invalid, incorporated the handling for that error as well.
1 parent 0a3a692 commit 00558c5

File tree

2 files changed

+12
-3
lines changed

2 files changed

+12
-3
lines changed

pkg/detectors/aws/access_keys/accesskey.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,13 @@ func (s scanner) Keywords() []string {
7171
}
7272
}
7373

74+
func (s scanner) getClient() *http.Client {
75+
if s.verificationClient == nil {
76+
s.verificationClient = defaultVerificationClient
77+
}
78+
return s.verificationClient
79+
}
80+
7481
// FromData will find and optionally verify AWS secrets in a given set of bytes.
7582
func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
7683
logger := logContext.AddLogger(ctx).Logger().WithName("aws")
@@ -201,6 +208,7 @@ func (s scanner) verifyMatch(ctx context.Context, resIDMatch, resSecretMatch str
201208
// Prep AWS Creds for STS
202209
cfg, err := config.LoadDefaultConfig(ctx,
203210
config.WithRegion(region),
211+
config.WithHTTPClient(s.getClient()),
204212
config.WithCredentialsProvider(
205213
credentials.NewStaticCredentialsProvider(resIDMatch, resSecretMatch, ""),
206214
),
@@ -214,7 +222,7 @@ func (s scanner) verifyMatch(ctx context.Context, resIDMatch, resSecretMatch str
214222
// Make the GetCallerIdentity API call
215223
resp, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
216224
if err != nil {
217-
if strings.Contains(err.Error(), "StatusCode: 403") {
225+
if strings.Contains(err.Error(), "StatusCode: 403") || strings.Contains(err.Error(), "InvalidClientTokenId") {
218226
return false, nil, nil
219227
}
220228
return false, nil, fmt.Errorf("request returned unexpected error: %s", err.Error())

pkg/detectors/aws/access_keys/canary.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,8 @@ var (
4848
func (s scanner) verifyCanary(ctx context.Context, resIDMatch, resSecretMatch string) (bool, string, error) {
4949
// Prep AWS Creds for SNS
5050
cfg, err := config.LoadDefaultConfig(ctx,
51-
config.WithRegion("us-east-1"),
51+
config.WithRegion(region),
52+
config.WithHTTPClient(s.getClient()),
5253
config.WithCredentialsProvider(
5354
credentials.NewStaticCredentialsProvider(resIDMatch, resSecretMatch, ""),
5455
),
@@ -70,7 +71,7 @@ func (s scanner) verifyCanary(ctx context.Context, resIDMatch, resSecretMatch st
7071
return true, arn, nil
7172
} else if strings.Contains(err.Error(), "does not match the signature you provided") {
7273
return false, "", nil
73-
} else if strings.Contains(err.Error(), "status code: 403") {
74+
} else if strings.Contains(err.Error(), "status code: 403") || strings.Contains(err.Error(), "InvalidClientTokenId") {
7475
return false, "", nil
7576
} else {
7677
return false, "", err

0 commit comments

Comments
 (0)