aws/credentials/stscreds: adding web identity role provider #2193
Conversation
| } | ||
|
|
||
| var emptyTokenFilePathErr = awserr.New(ErrCodeWebIdentityRetrievalErr, "'WebIdentityTokenFilePath' environment variable is empty", nil) | ||
| var emptyRoleARNErr = awserr.New(ErrCodeWebIdentityRetrievalErr, "'WebIdentityRoleARN' environment variable is empty", nil) |
There was a problem hiding this comment.
The error messages here are too specific, probably should be more generic since these are passed in values.
There was a problem hiding this comment.
Also Might be good to make the Error codes be InvalidParameter or something similar to differentiate between that and the API error failed.
|
|
||
| // NewWebIdentityCredentials will return a new set of credentials with a given | ||
| // configuration, role arn, and token file path. | ||
| func NewWebIdentityCredentials(c client.ConfigProvider, roleARN, path string) *credentials.Credentials { |
There was a problem hiding this comment.
nit path would be better as tokenFilePath
|
|
||
| // NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the | ||
| // provided stsiface.STSAPI | ||
| func NewWebIdentityRoleProvider(svc stsiface.STSAPI, roleARN, path string) *WebIdentityRoleProvider { |
There was a problem hiding this comment.
nit path would be better as tokenFilePath
|
|
||
| // session name is used to uniquely identify a session. This simply | ||
| // uses unix time in nanoseconds to uniquely identify sessions. | ||
| sessionName := strconv.FormatInt(now().UTC().UnixNano(), 10) |
There was a problem hiding this comment.
This is probably pretty unique, but not sure if it will be unique enough. Since field is required, might need more specific value, and optionally allow user provided.
There was a problem hiding this comment.
This is similar to what the CLI does. Would the overhead of adding the hostname (which would be fairly unique for Kubernetes pods) be too much? Could that be done once initially?
| return credentials.Value{}, awserr.New(ErrCodeWebIdentityRetrievalErr, "failed to retrieve credentials", err) | ||
| } | ||
|
|
||
| p.SetExpiration(aws.TimeValue(resp.Credentials.Expiration), p.ExpiryWindow) |
There was a problem hiding this comment.
Is it possible for the Expiration to be nil? If so these credentials will expire immediately since the TimeValue will be zero time. If no Expiration is a valid use case might need to only SetExpiration if Expiration isn't nil.
There was a problem hiding this comment.
This should never be nil, an assumed role credential will always have an expiration and a token. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
|
|
||
| value := credentials.Value{ | ||
| AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId), | ||
| SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey), |
There was a problem hiding this comment.
Probably want to set the SessionToken value as well incase the AssumeRoleWithWebIdentity call returns it.
There was a problem hiding this comment.
As stated above, a SessionToken is a required field and should be added
aws/session/session.go
Outdated
| @@ -440,6 +440,15 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share | |||
| cfg.Credentials = credentials.NewStaticCredentialsFromCreds( | |||
| envCfg.Creds, | |||
| ) | |||
|
|
|||
| } else if len(envCfg.WebIdentityTokenFilePath) > 0 { | |||
There was a problem hiding this comment.
Should this also validate that the RoleArn env var is provided, or just let the creds fail?
There was a problem hiding this comment.
The role ARN is a required field, I'd say it should be required to use this provider
There was a problem hiding this comment.
This will return an error, if role ARN is empty, when Retrieve is called. I figure it'd be best to add it to the credential chain and if it is empty return an error signaling an issue back to the user rather than ignoring it silently.
There was a problem hiding this comment.
I am okay with changing it to behaving the other way, if it seems more preferable.
There was a problem hiding this comment.
How about this, return an error if only one is set at the session create level rather than at the credential retrieval. That way it fails quickly and let's the user know that they have misconfigured the application
There was a problem hiding this comment.
Ah ok that makes sense. I like an error being reported if only one is present
| value := credentials.Value{ | ||
| AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId), | ||
| SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey), | ||
| SessionToken: aws.StringValue(resp.Credentials.SessionToken), |
There was a problem hiding this comment.
Should you add the Value.ProviderName to the credentials?
|
When this change is accepted, the web identity should be added as a valid value to |
|
Replacing this PR with, #2667 |
This update allows for OIDC token files to be used by specifying the token path on
AWS_WEB_IDENTITY_TOKEN_FILE. In addition, the role ARN must be set viaAWS_IAM_ROLE_ARN