Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(services/s3): environment/config role_arn ignored #4178 #4182

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(services/s3): environment/config role_arn ignored #4178 #4182

wants to merge 1 commit into from

Conversation

ZachNo
Copy link

@ZachNo ZachNo commented Feb 14, 2024

Fixes #4178, which is a bug where the role_arn set by environment variables or config file is ignored for role assumption.

@ZachNo ZachNo requested a review from Xuanwo as a code owner February 14, 2024 15:31
@github-actions github-actions bot requested review from ClSlaid and oowl February 14, 2024 15:31
@Xuanwo
Copy link
Member

Xuanwo commented Feb 14, 2024

I remembered that it's by design that role_arn not loaded from env and config because of the different between AssumeRoleArn and AssumeRoleArnWithWebIdentityToken.

Cc @everpcpc do you have comments on this change?

@ZachNo
Copy link
Author

ZachNo commented Feb 14, 2024
edited
Loading

Current behavior of AWS_ROLE_ARN envar for AWS CLI does currently only support WebIdentityToken roles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html skip to AWS_ROLE_ARN)

However role_arn from a config file does support normal assumable roles, so if we want to mimic AWS CLI behavior, it needs to be different between env and config loading.

@Xuanwo
Copy link
Member

Xuanwo commented Feb 14, 2024

However role_arn from a config file does support normal assumable roles, so if we want to mimic AWS CLI behavior, it needs to be different between env and config loading.

I'm guessing this is another issue that reqsign doesn't support source_credential yet.

@everpcpc
Copy link
Contributor

But source_credential is already supported by reqsign?

@Xuanwo
Copy link
Member

Xuanwo commented Feb 18, 2024
edited
Loading

But source_credential is already supported by reqsign?

We only accept source_credential in AssumeRoleLoader. This doesn't work while user have config like:

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1

or

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata

@everpcpc
Copy link
Contributor

Maybe we could handle like this:
https://github.com/boto/botocore/blob/7fd4057baac5298fbf594980f618a57dd51b71ad/botocore/credentials.py#L1485

@Xuanwo
Copy link
Member

Xuanwo commented Feb 18, 2024

Maybe we could handle like this: boto/botocore@7fd4057/botocore/credentials.py#L1485

Agreed. It's reqsign side work, let's migrate to there instead.

@tisonkun
Copy link
Member

tisonkun commented Oct 8, 2024

@Xuanwo is this one supported in reqsign and opendal upgrade to that version?

@Xuanwo
Copy link
Member

Xuanwo commented Oct 8, 2024

@Xuanwo is this one supported in reqsign and opendal upgrade to that version?

Not supported yet in reqsign. But anyway, it should be fixed in reqsign.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xuanwo Xuanwo Awaiting requested review from Xuanwo Xuanwo is a code owner

@ClSlaid ClSlaid Awaiting requested review from ClSlaid

@oowl oowl Awaiting requested review from oowl

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
releases-note/fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

S3 implementation does not use Role ARN provided by environment or profile
4 participants
@ZachNo @Xuanwo @everpcpc @tisonkun