From 37c8c1de9bcc9c936515ac09626ed85a38ad3e49 Mon Sep 17 00:00:00 2001 From: Theodore Tsirpanis Date: Fri, 20 Sep 2024 02:07:27 +0300 Subject: [PATCH 1/4] Support passing `ClientConfiguration` to web identity credentials provider. --- .../include/aws/core/auth/STSCredentialsProvider.h | 2 +- .../source/auth/STSCredentialsProvider.cpp | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h b/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h index 720006592c9..1921fac4b12 100644 --- a/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h +++ b/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h @@ -25,7 +25,7 @@ namespace Aws class AWS_CORE_API STSAssumeRoleWebIdentityCredentialsProvider : public AWSCredentialsProvider { public: - STSAssumeRoleWebIdentityCredentialsProvider(); + STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration config = {}); /** * Retrieves the credentials if found, otherwise returns empty credential set. diff --git a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp index 7747d86951c..db4609ee55b 100644 --- a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp +++ b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp @@ -32,7 +32,7 @@ using Aws::Utils::Threading::WriterLockGuard; static const char STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG[] = "STSAssumeRoleWithWebIdentityCredentialsProvider"; static const int STS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD = 5 * 1000; -STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider() : +STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration config) : m_initialized(false) { // check environment variables @@ -97,15 +97,16 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved session_name from profile_config or environment variable to be " << m_sessionName); } - Aws::Client::ClientConfiguration config; config.scheme = Aws::Http::Scheme::HTTPS; config.region = tmpRegion; - Aws::Vector retryableErrors; - retryableErrors.push_back("IDPCommunicationError"); - retryableErrors.push_back("InvalidIdentityToken"); + if (config.retryStrategy == nullptr) { + Aws::Vector retryableErrors; + retryableErrors.push_back("IDPCommunicationError"); + retryableErrors.push_back("InvalidIdentityToken"); - config.retryStrategy = Aws::MakeShared(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, retryableErrors, 3/*maxRetries*/); + config.retryStrategy = Aws::MakeShared(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, retryableErrors, 3/*maxRetries*/); + } m_client = Aws::MakeUnique(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config); m_initialized = true; From ad8df6a49196d8bf06a588d7c79b3725c15265ed Mon Sep 17 00:00:00 2001 From: Theodore Tsirpanis Date: Fri, 20 Sep 2024 02:13:53 +0300 Subject: [PATCH 2/4] Use the region specified in the client config. --- .../source/auth/STSCredentialsProvider.cpp | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp index db4609ee55b..f1cb5ad72c4 100644 --- a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp +++ b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp @@ -36,20 +36,14 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials m_initialized(false) { // check environment variables - Aws::String tmpRegion = Aws::Environment::GetEnv("AWS_DEFAULT_REGION"); m_roleArn = Aws::Environment::GetEnv("AWS_ROLE_ARN"); m_tokenFile = Aws::Environment::GetEnv("AWS_WEB_IDENTITY_TOKEN_FILE"); m_sessionName = Aws::Environment::GetEnv("AWS_ROLE_SESSION_NAME"); // check profile_config if either m_roleArn or m_tokenFile is not loaded from environment variable - // region source is not enforced, but we need it to construct sts endpoint, if we can't find from environment, we should check if it's set in config file. - if (m_roleArn.empty() || m_tokenFile.empty() || tmpRegion.empty()) + if (m_roleArn.empty() || m_tokenFile.empty()) { auto profile = Aws::Config::GetCachedConfigProfile(Aws::Auth::GetConfigProfileName()); - if (tmpRegion.empty()) - { - tmpRegion = profile.GetRegion(); - } // If either of these two were not found from environment, use whatever found for all three in config file if (m_roleArn.empty() || m_tokenFile.empty()) { @@ -79,15 +73,6 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved role_arn from profile_config or environment variable to be " << m_roleArn); } - if (tmpRegion.empty()) - { - tmpRegion = Aws::Region::US_EAST_1; - } - else - { - AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved region from profile_config or environment variable to be " << tmpRegion); - } - if (m_sessionName.empty()) { m_sessionName = Aws::Utils::UUID::PseudoRandomUUID(); @@ -98,7 +83,6 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials } config.scheme = Aws::Http::Scheme::HTTPS; - config.region = tmpRegion; if (config.retryStrategy == nullptr) { Aws::Vector retryableErrors; From 9fcd76022ed96e5bb3b849606010edfc4dd06784 Mon Sep 17 00:00:00 2001 From: Theodore Tsirpanis Date: Thu, 10 Oct 2024 13:45:19 +0300 Subject: [PATCH 3/4] Construct retryable errors vector in-place. --- src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp index f1cb5ad72c4..f58f492a58b 100644 --- a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp +++ b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp @@ -85,11 +85,9 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials config.scheme = Aws::Http::Scheme::HTTPS; if (config.retryStrategy == nullptr) { - Aws::Vector retryableErrors; - retryableErrors.push_back("IDPCommunicationError"); - retryableErrors.push_back("InvalidIdentityToken"); + Aws::Vector retryableErrors{ "IDPCommunicationError", "InvalidIdentityToken" }; - config.retryStrategy = Aws::MakeShared(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, retryableErrors, 3/*maxRetries*/); + config.retryStrategy = Aws::MakeShared(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, std::move(retryableErrors), 3/*maxRetries*/); } m_client = Aws::MakeUnique(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config); From 20bd62fdd197d1891d1e5efba90be4da9ce3b3d9 Mon Sep 17 00:00:00 2001 From: Theodore Tsirpanis Date: Thu, 21 Nov 2024 01:06:44 +0200 Subject: [PATCH 4/4] Address PR feedback. --- .../include/aws/core/auth/STSCredentialsProvider.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h b/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h index 1921fac4b12..83d40cd4993 100644 --- a/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h +++ b/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h @@ -25,7 +25,7 @@ namespace Aws class AWS_CORE_API STSAssumeRoleWebIdentityCredentialsProvider : public AWSCredentialsProvider { public: - STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration config = {}); + STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration config = {Aws::Client::ClientConfigurationInitValues{true}}); /** * Retrieves the credentials if found, otherwise returns empty credential set.