-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws/credential: Add credential_process provider #2217
Conversation
f112e0a
to
52b550b
Compare
|
acbf376
to
53a3ced
Compare
Looks like the build failure was an upstream golang.org/x/tool failure. Will restart tests. |
33d6234
to
f356986
Compare
Updated to work with #2210 (internal/ini: add support for ini parser). For what it's worth, locally
|
f356986
to
8ef2536
Compare
@jasdel @xibz |
8ef2536
to
f332ef1
Compare
@YakDriver thanks for letting us know about the build failure. We'll need to update the unit tests and code generation so that no test with x/tools dependency will be run. The SDK's core and client unit tests should all still be valid to run. |
@jasdel it looks like all the Linux/Darwin 1.9, 1.10, 1.11 tests for this PR are working fine. I've run the the PR tests on an EC2 windows instance also and they ran fine. Looking forward to a review when you get a chance. 😃 |
This would also be a workaround for #1993 so I'm also in support for getting this reviewed/merged. |
f332ef1
to
58d6152
Compare
Hello @YakDriver, thank you for taking the time to create this PR. We have reviewed this internally and there are some concerns we have. I've decided to pull this in and refactor some of this based on the concerns and ensure that we get this reviewed internally as well. I just wanted to let you know that we have looked at this and we have decided to only allow the credential process provider to be enabled via code and not the shared config. So, I'll go ahead and make those changes and if you have any questions or feedback, please let us know. |
Ugh. As a user, that's a major bummer. |
@lorengordon - Out of curiosity, why is this a major issue? Would it be difficult to not have a predefined location of said credential process, ie Reading the AWS CLI docs it explicitly states, WarningThe following describes a method of sourcing credentials from an external process. This can Found here. This is a major reason why we are potentially deciding this to only be allowed via code. |
The AWS Shared Config file is a common way for users of such applications to manage credentials for multiple accounts and multiple roles, in a way that, from a user's perspective, seems ought to work the same way across all applications, regardless of the backing AWS SDK. It would be great for that to work in a way that didn't require extra boilerplate in every application, and result in a lot of confusing issues for every application about why a particular credential method worked for some app "foo" but not some app "bar". Right now, it sucks that Golang apps handle AWS credentials differently than Javascript apps, differently than Ruby apps, differently than Python apps, etc, etc. I certainly get that there may be some delay in support for new methods, with Python seeming to lead the way here, but simply choosing not to support the same methods in common across all SDKs... well, that's just a terrible user experience. Amazon in the past had seemed to indicate we could expect this kind of parity across SDKs as the new way forward: We were just tackling one credential provider here, because we have a specific need for this provider in our environment, but the larger criticism is still valid. Without including support for loading the credential_process from the shared config, this contribution will likely end up being a waste of our time. That's a risk we take with all contributions to open source projects, but still, it stings. And I'm not looking forward to the maintenance tail of maintaining a fork just to build this in to open source apps we use. |
Yes. And yet, support for the option in the shared config is already baked in to the python and ruby SDKs. They nicely leave the option to the user, rather than trying to decide centrally for every user and use case. Edit: This is what I'm talking about with the inconsistent user experience. I shouldn't need to know that the AWS CLI is written in Python and is using botocore to load the Shared Config. Nor should I need to know that Terraform is written in Go, and using the AWS Go SDK to load the Shared Config. Do both SDKs support the same options? If not, is it a subset of options? Is it a totally different set of options? Is there a master list of the possible options somewhere? I shouldn't need to care about this. They should both just work. |
@lorengordon - Thank you for the feedback, and I want to let you know that we are not finalized on a decision as we want more feedback from users. However, some things to consider we want this to behave similarly to how the spec is defined internally. This is why we want to pull this down and make the changes. Also, having this only code enabled shouldn't be very different than how the other SDKs do it today. In addition, we aren't making a decision until we've received feedback from users and we have a meeting with a user tomorrow to ensure that we can implement this safe, secure, and easy to use. I believe we can achieve this and your feedback will help with that. Here's what we were thinking, cmd, err := processprovider.NewCommandFromConfig("/path/to/config", "profile")
if err != nil {
return err
}
p := processprovider.NewProcessProvider(cmd)
cfg := &aws.Config{
Credentials: credentials.NewCredential(p),
}
sess := session.Must(session.NewSession(cfg)) Please let us know if this will work for you |
I just want to echo @lorengordon's concerns. If you only allow this provider via code it's pretty much useless. The reason it's useless is as @lorengordon says that it won't bring feature parity between the SDKs which will require every applicationn developer to do custom credentials initialization depending on the environment where the application is running. The whole point of the credentials chain is to avoid this and make it "just work" no matter the environment (or which language the SDK is written for). I have been trying to argue the same thing in #1993 for months. Having this supported the same way as python, would "solve"/work around the problem stated in #1993 for the Go SDK. I have created a doc on the SDK support for solving #1933 https://github.com/mikkeloscar/kube-aws-iam-controller/blob/master/docs/sdk-configuration.md |
@xibz I'm failing to see how handling this only in code addresses the linked issues, at all. But I'm open to the idea that is a failing on my part and not a failing of what you're currently proposing. Here's a workflow I would consider a success:
Any workflow that requires applications in Step 2 to make further changes to their code, I would consider to be failing to address the linked issues. I'd even wonder why bother merging, since no one seems to be asking for the feature being considered. And really, if that ends up being the case, the linked issues should be unlinked so they are not closed. *There is probably an assumption here that the application is otherwise already creating the session correctly. |
|
Thanks for the additional feedback. Our biggest concerns about enabling this feature by default is that users may unknowingly be opening them applications up to exploits by the SDK executing arbitrary executables from the shared config file. This is the primary reason we are concerned about enabling this feature in the default credential chain automatically within an application. We understand the benefit of it should just work out of the box, enabling this feature automatically opens the application up to being exploited. There are a couple use cases where we think the automatic behavior could be exploited:
The following is the most obvious use case I immediately think of that combines these two vulnerabilities together. But, I have no doubt that there are others.
Because of these risks, we think that something in the user's application code needs to explicitly enable this feature, beyond the shared config file, is needed to prevent unexpected execution of arbitrary executables. We see the value and need being able to define a way to source credentials from an external process, but we do not think it is appropriate for an automatic default feature within the SDK. |
I don't dispute that there are risks. 🎃 😨 All features must face a risk/benefit determination. We just ask that a consistent risk/benefit determination be made across AWS CLI, Ruby, Python, and go. This PR follows a similar mitigation pattern to the other implementations. It will only use In fact, CLI/Ruby/Python/go sharing the same For example, here, a slipped in
The very precise configuration is akin to purposely enabling the feature. This PR's go implementation further mitigates beyond the botocore and Ruby implementations by providing a process timeout and a very limited |
4f4d144
to
de02e46
Compare
Thanks for working with us to create this PR, @YakDriver. The updates look good, and we'll be able to merge this PR in nearly next week after re:Invent. @xibz and I are not at re:Invent this year, though there are a few AWS SDK team members at the developer tools booth this year. |
Excellent news! We look forward to being among the first to use it. |
I'll race you! :) Awesome work, thanks! |
Fixes #1834
Continuation of #1874
How It Works
For example, you may have this configuration (this example uses awsprocesscreds for SAML integration):
Assuming the process returns a valid json like this example (but with valid credentials):
You could use it in your code like this:
You can also provide the process command programmatically without using a config file.
This Pull Request
This PR adds support for calling a
credential_process
and builds on the work of @micahhausler, taking into account review notes by @jasdel.Notable changes over #1874:
processcreds
provider from the default credential chaincredential_process
including a timeout and small buffer limit (in case of a hung process or a process producing much data) - limits are configurableprocesscreds
packageExpiration
of typeTime
exec.Command
fail rather than doing pre-checksstdout
andstderr
in outputtestify
Please let me know if you have additional review.
See related: