fix: aws iam external identities region #693
Conversation
- Select the appropriate AWS IAM identity retion based on the STS endpoint when multiple identities exist. - Improved error handling for cases with no attached AWS IAM identity.
- Changed the docstring to clarify that the function returns the first available identity instead of the first non-deleted identity.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Refined the condition for matching AWS IAM identity by ensuring both the request host and header host are correctly validated, improving the accuracy of identity selection.
…host Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
There was a problem hiding this comment.
Pull request overview
This PR fixes AWS IAM authentication to correctly resolve region-specific identities when multiple AWS IAM identities are attached to a single service account. Instead of always using the first identity, the system now matches identities based on the STS endpoint hostname from the signed request.
Key Changes:
- Added multi-identity selection logic that matches based on STS endpoint host
- Introduced
get_normalized_host()utility function for consistent URL hostname extraction - Removed dependency on
resolve_attached_identity()helper in favor of inline filtering
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
backend/api/views/identities/aws/iam.py |
Added get_normalized_host() function and multi-identity selection logic to match identities by STS endpoint host when multiple AWS IAM identities exist |
backend/api/utils/identity/common.py |
Updated docstring for resolve_attached_identity() to clarify it returns first available identity (documentation-only change) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…host Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…idation checks Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
🔍 Overview
Fix AWS region handling for Service Accounts with multiple External Identities.
Addresses: #692
💡 Proposed Changes
✨ How to Test the Changes Locally
Attach multiple external identities to a service accounts (different regions, trusted principles) Try:
💚 Did You...
Note
Selects AWS IAM identity by STS endpoint host when multiple are attached, adding host normalization utility.
Backend – AWS IAM auth (
backend/api/views/identities/aws/iam.py):aws_iamidentity by matching the request’s STS endpoint host to the identity’sconfig.stsEndpointwhen multiple identities exist (falls back to first).get_normalized_hostto robustly extract/normalize hosts from URLs.Utilities:
resolve_attached_identity(no functional change).Written by Cursor Bugbot for commit c760317. This will update automatically on new commits. Configure here.