Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No way to make anonymous API call #206

Closed
garnaat opened this issue Jan 13, 2014 · 4 comments · Fixed by #215
Closed

No way to make anonymous API call #206

garnaat opened this issue Jan 13, 2014 · 4 comments · Fixed by #215

Comments

@garnaat
Copy link
Member

garnaat commented Jan 13, 2014

STS calls like AssumeRoleWithSAML and AssumeRoleWithWebIdentity either require or allow anonymous calls. We need to provide a way to support these types of calls in botocore, similar to what we did for boto

@garnaat
Copy link
Member Author

garnaat commented Jan 13, 2014

It's not clear what is the best approach to solve this.

One solution would be to remove the current restriction that if a service has a signature_version attribute than that means that credentials are required. We could allow the call to proceed rather than raising a NoCredentialsError and then have _get_auth() simply return a None if no credentials are found. Then the call would proceed and, since the auth attribute of the endpoint was None, prepare_request would not attempt to add auth to the request.

Does that seem reasonable?

@jamesls
Copy link
Member

jamesls commented Jan 13, 2014

What would that do for the error messages in the case where a user is missing credentials and they actually need them?

I was going to suggest that we annotate our model to have per-operation signature version overrides (and set AssumeRoleWithSAML/AssumeRoleWithWebIdentity to have a signature_version of null or unsigned or something). But I think part of the issue is that the auth is tied to an endpoint, which doesn't know about the operation (since it's typically created off of a Service object). So even if we hook into before-call and switch out the auth handler in the Operation class (which seems doable I think), I'm not sure how well that will play with the fact that endpoint's can be shared across operations.

@garnaat
Copy link
Member Author

garnaat commented Jan 13, 2014

Yeah, annotating the model for these operations was my first thought but, as you say, we are currently raising the NoCredentialError when we are creating the endpoint and we don't know what operation will be called.

We could modify my approach and only allow the request to be made with no credentials if the operation is actually annotated appropriately. If not, we could raise the NoCredentialsError at that point.

garnaat added a commit to garnaat/botocore that referenced this issue Jan 14, 2014
garnaat added a commit to garnaat/botocore that referenced this issue Jan 16, 2014
garnaat added a commit to garnaat/botocore that referenced this issue Jan 16, 2014
jamesls added a commit that referenced this issue Jan 23, 2014
* release-0.31.0: (22 commits)
  Bumping version to 0.31.0
  Remove debug logging message.
  Fix reference to no_auth.
  Allow for operations within a service to override the signature_version.  Fixes #206.  Supercedes #208
  Fix setting socket timeout in py3
  Add response parsing tests for S3 GetBucketLocation
  Expose output parameters matching root XML node, fix GetBucketLocation
  Use unittest2 on python2.6
  Detect incomplete reads (content length mismatch)
  Simplifying code and fixing test to use unicode constant.
  Fixing an issue that came up while fixing aws/aws-cli#593.
  Fixing an issue that came up while fixing aws/aws-cli#593.
  Fix elastictranscoder service
  Add default param to get_config_variable
  Add session config vars for metadata retry/timeouts
  Add support for per session config vars
  Rename get_variable to get_config_variable
  Rename env vars to session vars
  Move module vars into session class vars
  Update elasticache model to the latest version
  ...
@philarmour
Copy link

This fix appears to be no longer be a part of botocore after the refactor (~0.66.0). Is this something that needs a new issue or can we re-open this one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants