use verification client for better logging.

SDK has changed the error if the provided Id is invalid, incorporated the handling for that error as well.
trufflesecurity · Feb 14, 2025 · 00558c5 · 00558c5
1 parent 0a3a692
commit 00558c5
Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/pkg/detectors/aws/access_keys/accesskey.go b/pkg/detectors/aws/access_keys/accesskey.go
@@ -71,6 +71,13 @@ func (s scanner) Keywords() []string {
 	}
 }
 
+func (s scanner) getClient() *http.Client {
+	if s.verificationClient == nil {
+		s.verificationClient = defaultVerificationClient
+	}
+	return s.verificationClient
+}
+
 // FromData will find and optionally verify AWS secrets in a given set of bytes.
 func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	logger := logContext.AddLogger(ctx).Logger().WithName("aws")
@@ -201,6 +208,7 @@ func (s scanner) verifyMatch(ctx context.Context, resIDMatch, resSecretMatch str
 	// Prep AWS Creds for STS
 	cfg, err := config.LoadDefaultConfig(ctx,
 		config.WithRegion(region),
+		config.WithHTTPClient(s.getClient()),
 		config.WithCredentialsProvider(
 			credentials.NewStaticCredentialsProvider(resIDMatch, resSecretMatch, ""),
 		),
@@ -214,7 +222,7 @@ func (s scanner) verifyMatch(ctx context.Context, resIDMatch, resSecretMatch str
 	// Make the GetCallerIdentity API call
 	resp, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
 	if err != nil {
-		if strings.Contains(err.Error(), "StatusCode: 403") {
+		if strings.Contains(err.Error(), "StatusCode: 403") || strings.Contains(err.Error(), "InvalidClientTokenId") {
 			return false, nil, nil
 		}
 		return false, nil, fmt.Errorf("request returned unexpected error: %s", err.Error())

diff --git a/pkg/detectors/aws/access_keys/canary.go b/pkg/detectors/aws/access_keys/canary.go
@@ -48,7 +48,8 @@ var (
 func (s scanner) verifyCanary(ctx context.Context, resIDMatch, resSecretMatch string) (bool, string, error) {
 	// Prep AWS Creds for SNS
 	cfg, err := config.LoadDefaultConfig(ctx,
-		config.WithRegion("us-east-1"),
+		config.WithRegion(region),
+		config.WithHTTPClient(s.getClient()),
 		config.WithCredentialsProvider(
 			credentials.NewStaticCredentialsProvider(resIDMatch, resSecretMatch, ""),
 		),
@@ -70,7 +71,7 @@ func (s scanner) verifyCanary(ctx context.Context, resIDMatch, resSecretMatch st
 		return true, arn, nil
 	} else if strings.Contains(err.Error(), "does not match the signature you provided") {
 		return false, "", nil
-	} else if strings.Contains(err.Error(), "status code: 403") {
+	} else if strings.Contains(err.Error(), "status code: 403") || strings.Contains(err.Error(), "InvalidClientTokenId") {
 		return false, "", nil
 	} else {
 		return false, "", err