Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IamAwsProvider can't fetch ECS task role credentials #1108

Closed
cbutcosk opened this issue Nov 9, 2020 · 3 comments · Fixed by #1109
Closed

IamAwsProvider can't fetch ECS task role credentials #1108

cbutcosk opened this issue Nov 9, 2020 · 3 comments · Fixed by #1109

Comments

@cbutcosk
Copy link

cbutcosk commented Nov 9, 2020

In using the new credentials interface I noticed that although IamAwsProvider covers the EC2 metadata auth flow. But when I try to use it in an ECS task role the auth flow is getting tripped up here.

According to the AWS docs around IAM Task Roles the expected response from the container metadata endpoint lacks the Code property checked in that line:

{
    "AccessKeyId": "XXX",
    "Expiration": "2020-11-07T01:28:43Z",
    "RoleArn": "arn:aws:iam::XXX:role/role-name-here",
    "SecretAccessKey": "XXX",
    "Token": "XXX"
}
@balamurugana
Copy link
Member

@cbutcosk Could you confirm AWS_CONTAINER_CREDENTIALS_FULL_URI way to fetch credentials return same JSON structure?

balamurugana added a commit to balamurugana/minio-java that referenced this issue Nov 9, 2020
@balamurugana
Make code property check optional in IamAwsProvider
cb1f2fc 
Fixes minio#1108
@balamurugana balamurugana mentioned this issue Nov 9, 2020
Merged
@cbutcosk
Copy link
Author

cbutcosk commented Nov 9, 2020

@balamurugana Hm, good question--I actually can't reproduce an environment on my end that sets AWS_CONTAINER_CREDENTIALS_FULL_URI. Not sure if that is due to the deployment type I'm using or something.

That said the AWS SDK appears to use the same endpoint regardless of which environment variable is used to construct the URI since the entire refresh() method is in the superclass there.

@balamurugana
Copy link
Member

@cbutcosk No problem. I have made Code property check optional.

balamurugana added a commit to balamurugana/minio-java that referenced this issue Nov 10, 2020
@balamurugana
Make code property check optional in IamAwsProvider
68a56cf 
Fixes minio#1108
balamurugana added a commit that referenced this issue Nov 11, 2020
@balamurugana
Make code property check optional in IamAwsProvider (#1109)
d49172e 
Fixes #1108
@balamurugana balamurugana mentioned this issue Nov 23, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make code property check optional in IamAwsProvider balamurugana/minio-java
2 participants
@balamurugana @cbutcosk