Skip to content

Commit

Permalink
Fix credentials issue with ECS-A Windows
Browse files Browse the repository at this point in the history
Credentials were not being rotated properly on ECS-A Windows instances.
This patch addresses the issue by using the correct file-paths for
credentials on supported platforms. The credential chain hierarchy is
also updated on ECS-A windows to ensure that credential chain is not
broken for other launch types.

Signed-off-by: Siddharth Vinothkumar <sidvin@amazon.com>
  • Loading branch information
vsiddharth committed Apr 21, 2022
1 parent 5ece05b commit 8ec70ad
Show file tree
Hide file tree
Showing 6 changed files with 86 additions and 5 deletions.
21 changes: 20 additions & 1 deletion agent/credentials/instancecreds/instancecreds.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
package instancecreds

import (
"os"
"sync"

"github.com/aws/amazon-ecs-agent/agent/credentials/providers"
Expand All @@ -38,7 +39,25 @@ func GetCredentials() *credentials.Credentials {
mu.Lock()
if credentialChain == nil {
credProviders := defaults.CredProviders(defaults.Config(), defaults.Handlers())
credProviders = append(credProviders, providers.NewRotatingSharedCredentialsProvider())
/*
The default credential chain provided by the SDK includes:
* EnvProvider
* SharedCredentialsProvider
* RemoteCredProvider
In the case of ECS-A on Windows, the `SharedCredentialsProvider` takes
precedence over the `RotatingSharedCredentialsProvider` and this results
in the credentials not being refreshed. To mitigate this issue, we will
use the environment variable `ECS_EXTERNAL` to reorder the credential
chain and ensure that `RotatingSharedCredentialsProvider` takes precedence
over the `SharedCredentialsProvider`.
*/
if _, ok := os.LookupEnv("ECS_EXTERNAL"); ok {
credProviders = append(credProviders[:1], append([]credentials.Provider{providers.NewRotatingSharedCredentialsProvider()}, credProviders[1:]...)...)
} else {
credProviders = append(credProviders, providers.NewRotatingSharedCredentialsProvider())
}
credentialChain = credentials.NewCredentials(&credentials.ChainProvider{
VerboseErrors: false,
Providers: credProviders,
Expand Down
22 changes: 22 additions & 0 deletions agent/credentials/providers/credentials_filename_linux.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
//go:build linux

// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License"). You may
// not use this file except in compliance with the License. A copy of the
// License is located at
//
// http://aws.amazon.com/apache2.0/
//
// or in the "license" file accompanying this file. This file is distributed
// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing
// permissions and limitations under the License.

package providers

const (
// defaultRotatingCredentialsFilename is the default location of the credentials file
// for RotatingSharedCredentialsProvider.
defaultRotatingCredentialsFilename = "/rotatingcreds/credentials"
)
22 changes: 22 additions & 0 deletions agent/credentials/providers/credentials_filename_unsupported.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
//go:build !windows && !linux

// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License"). You may
// not use this file except in compliance with the License. A copy of the
// License is located at
//
// http://aws.amazon.com/apache2.0/
//
// or in the "license" file accompanying this file. This file is distributed
// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing
// permissions and limitations under the License.

package providers

const (
// defaultRotatingCredentialsFilename is the default location of the credentials file
// for RotatingSharedCredentialsProvider.
defaultRotatingCredentialsFilename = "/unsupported/file_path/file_name"
)
20 changes: 20 additions & 0 deletions agent/credentials/providers/credentials_filename_windows.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
//go:build windows

// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License"). You may
// not use this file except in compliance with the License. A copy of the
// License is located at
//
// http://aws.amazon.com/apache2.0/
//
// or in the "license" file accompanying this file. This file is distributed
// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing
// permissions and limitations under the License.

package providers

// defaultRotatingCredentialsFilename is the default location of the credentials file
// for RotatingSharedCredentialsProvider.
const defaultRotatingCredentialsFilename = "C:\\Windows\\System32\\config\\systemprofile\\.aws\\credentials"
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,6 @@ import (
const (
// defaultRotationInterval is how frequently to expire and re-retrieve the credentials from file.
defaultRotationInterval = time.Minute
// defaultFilename is the default location of the credentials file within the container.
defaultFilename = "/rotatingcreds/credentials"
// RotatingSharedCredentialsProviderName is the name of this provider
RotatingSharedCredentialsProviderName = "RotatingSharedCredentialsProvider"
)
Expand All @@ -46,7 +44,7 @@ func NewRotatingSharedCredentialsProvider() *RotatingSharedCredentialsProvider {
return &RotatingSharedCredentialsProvider{
RotationInterval: defaultRotationInterval,
sharedCredentialsProvider: &credentials.SharedCredentialsProvider{
Filename: defaultFilename,
Filename: defaultRotatingCredentialsFilename,
Profile: "default",
},
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func TestNewRotatingSharedCredentialsProvider(t *testing.T) {
p := NewRotatingSharedCredentialsProvider()
require.Equal(t, time.Minute, p.RotationInterval)
require.Equal(t, "default", p.sharedCredentialsProvider.Profile)
require.Equal(t, "/rotatingcreds/credentials", p.sharedCredentialsProvider.Filename)
require.Equal(t, defaultRotatingCredentialsFilename, p.sharedCredentialsProvider.Filename)
}

func TestRotatingSharedCredentialsProvider_RetrieveFail_BadPath(t *testing.T) {
Expand Down

0 comments on commit 8ec70ad

Please sign in to comment.