-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sts PresignGetCallerIdentity - lack of customisation options #1137
Comments
It does allow for quite a bit of customization using middleware functions... for example... https://github.com/bluestealth/aws-iam-authenticator/blob/ff550b8c35816a14c256aa064973f6d710334692/pkg/token/token.go#L333-L348 That said a removeHeader function would be nice. |
@bluestealth You are absolutely right! Have not seen that and failed to figure out how to wire code into the middleware stack. Thanks for the pointer! |
One other issue with this function is that it no longer allows creating POST method presigned requests with a message body. This currently breaks vault iam-auth, since they do not support presigned GET calls. This can't really be worked around currently, since by design presigned requests now do not have a body.
|
Thanks for reaching out, @RafPe, Like @bluestealth mentioned the SDK has helper utilities for customizing requests. Such as adding additional headers. Though the SDK doesn't have any helper/option to direclty specify headers to exclude from signing. With that said a SDK presign operation call can be customized to accomplish all of this.
package main
import (
"context"
"fmt"
"log"
"net/http"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"
)
func main() {
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
log.Fatalf("failed to load config, %v", err)
}
presigner := sts.NewPresignClient(sts.NewFromConfig(cfg))
p, err := presigner.PresignGetCallerIdentity(context.TODO(),
&sts.GetCallerIdentityInput{},
func(po *sts.PresignOptions) {
po.ClientOptions = []func(*sts.Options){
sts.WithAPIOptions(
// Headers that should be signed should be included here.
// Don't include headers that should NOT be signed.
smithyhttp.AddHeaderValue("my-header", "value"),
smithyhttp.AddHeaderValue("my-header-2", "value"),
// Create custom serialization middleware for request to have POST method.
func(s *middleware.Stack) error {
return s.Serialize.Add(
// Instead of usign closure could move this to standalone type
// implementing the middleware.SerializeMiddeware interface
// https://pkg.go.dev/github.com/aws/smithy-go/middleware#SerializeMiddleware
middleware.SerializeMiddlewareFunc("use POST method",
func(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
out middleware.SerializeOutput, metadata middleware.Metadata, err error,
) {
// Extract the SDK's request value, and update HTTP method.
r, ok := in.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, fmt.Errorf("expect %T request, got %T", r, in.Request)
}
r.Method = "POST"
return next.HandleSerialize(ctx, in)
}),
middleware.After,
)
},
),
}
},
)
if err != nil {
log.Fatalf("failed to get presign request, %v", err)
}
log.Println("Presigned request")
log.Println("HTTP Method:", p.Method)
log.Println("Signed Headers", p.SignedHeader)
log.Println("URL", p.URL)
// Add additional headers to the `http.Request` created from the p.URL, p.Method, p.SignedHeader
req, err := http.NewRequest(p.Method, p.URL, nil)
if err != nil {
log.Fatalf("failed to create request, %v", err)
}
for k, vs := range p.SignedHeader {
for _, v := range vs {
req.Header.Add(k, v)
}
}
// TODO Add custom headers that should not be signed to request.
var httpClient http.Client
resp, err := httpClient.Do(req)
if err != nil {
log.Fatalf("failed to send presigned request, %v", err)
}
log.Println(resp.StatusCode)
} |
I can confirm that the info provided enabled me to successfully make presigned requests :) Thanks a lot! |
Thanks for the update let us know if you run into any additional issues or have feedback! |
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
When calling
sts PresignGetCallerIdentity
I could not find how to customise the request to specific headers would be additionaly signed ( x-k8s-aws-id ) / certain Amazon headers would not be added to request ( X-Amz-User-Agent )Version of AWS SDK for Go?
Version of Go (
go version
)?1.15.2
To Reproduce (observed behavior)
Which in turn produces
Expected behavior
I would expect a easy form to provide headers to be signed / headers to be not included in the signing process.
Additional context
Idea here was generating code to create EKS token value.
The text was updated successfully, but these errors were encountered: