fix default credential chain not respecting endpoint URL overrides #3873
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
awslabs/aws-sdk-rust#1193
Description
This PR fixes a customer reported bug where the default chain doesn't respect
AWS_ENDPOINT_URL
/AWS_ENDPOINT_URL_<SERVICE>
environment variables or the equivalents in AWS shared config (~/.aws/config
).This fix is a little nuanced and frankly gross but there isn't a better option that I can see right now that isn't way more invasive. The crux of the issue is that when we implemented support for this feature (1, 2, 3) we really only made it work for clients created via
ConfigLoader::load()
. Internally the default chain credential provider constructsSTS
andSSO
clients but it does so usingProviderConfig
by mapping this toSdkConfig
viaProviderConfig::client_config()
. This conversion is used in several places and it doesn't take any of the required logic into account to setupEnvServiceConfig
which is what generated SDK's ultimately use to figure out the endpoint URL from either environment/profile (example client which ultimately ends up inEnvServiceConfig
here).The fix applied here is nuanced in that we update the conversion to provide a
EnvServiceConfig
but it relies on the profile to have been parsed already or else you'll get an empty/default profile. This generally works for the profile provider since the first thing we do is load the profile but in isolation it may not work as expected. I've added tests for STS to cover all cases but SSO credentials and token providers do NOT currently respect shared config endpoint URL keys. Fixing this is possible but involved since we require anasync
context to ensure a profile is loaded already and in many places where we constructSdkConfig
fromProviderConfig
we are in non async function.Testing
Tested repro + additional integration tests
Future
This does not fix awslabs/aws-sdk-rust#1194 which was discovered as a bug/gap. Fixing it would be outside the scope of this PR.
SSO/token provider is instantiated sometimes before we have parsed a profile. This PR definitely fixes the STS provider for all configuration scenarios but the SSO related client usage may still have some edge cases when configured via profiles since we often instantiate them before parsing a profile. When we surveyed other SDKs there were several that failed to respect these variables and haven't received issues around this which leads me to believe this isn't likely a problem in practice (most likely due to SSO being used in local development most often where redirecting that endpoint doesn't make much sense anyway).
Checklist
.changelog
directory, specifying "aws-sdk-rust" in theapplies_to
key.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.