diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h b/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h index 720006592c9..83d40cd4993 100644 --- a/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h +++ b/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h @@ -25,7 +25,7 @@ namespace Aws class AWS_CORE_API STSAssumeRoleWebIdentityCredentialsProvider : public AWSCredentialsProvider { public: - STSAssumeRoleWebIdentityCredentialsProvider(); + STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration config = {Aws::Client::ClientConfigurationInitValues{true}}); /** * Retrieves the credentials if found, otherwise returns empty credential set. diff --git a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp index 7747d86951c..f58f492a58b 100644 --- a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp +++ b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp @@ -32,24 +32,18 @@ using Aws::Utils::Threading::WriterLockGuard; static const char STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG[] = "STSAssumeRoleWithWebIdentityCredentialsProvider"; static const int STS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD = 5 * 1000; -STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider() : +STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration config) : m_initialized(false) { // check environment variables - Aws::String tmpRegion = Aws::Environment::GetEnv("AWS_DEFAULT_REGION"); m_roleArn = Aws::Environment::GetEnv("AWS_ROLE_ARN"); m_tokenFile = Aws::Environment::GetEnv("AWS_WEB_IDENTITY_TOKEN_FILE"); m_sessionName = Aws::Environment::GetEnv("AWS_ROLE_SESSION_NAME"); // check profile_config if either m_roleArn or m_tokenFile is not loaded from environment variable - // region source is not enforced, but we need it to construct sts endpoint, if we can't find from environment, we should check if it's set in config file. - if (m_roleArn.empty() || m_tokenFile.empty() || tmpRegion.empty()) + if (m_roleArn.empty() || m_tokenFile.empty()) { auto profile = Aws::Config::GetCachedConfigProfile(Aws::Auth::GetConfigProfileName()); - if (tmpRegion.empty()) - { - tmpRegion = profile.GetRegion(); - } // If either of these two were not found from environment, use whatever found for all three in config file if (m_roleArn.empty() || m_tokenFile.empty()) { @@ -79,15 +73,6 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved role_arn from profile_config or environment variable to be " << m_roleArn); } - if (tmpRegion.empty()) - { - tmpRegion = Aws::Region::US_EAST_1; - } - else - { - AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved region from profile_config or environment variable to be " << tmpRegion); - } - if (m_sessionName.empty()) { m_sessionName = Aws::Utils::UUID::PseudoRandomUUID(); @@ -97,15 +82,13 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved session_name from profile_config or environment variable to be " << m_sessionName); } - Aws::Client::ClientConfiguration config; config.scheme = Aws::Http::Scheme::HTTPS; - config.region = tmpRegion; - Aws::Vector retryableErrors; - retryableErrors.push_back("IDPCommunicationError"); - retryableErrors.push_back("InvalidIdentityToken"); + if (config.retryStrategy == nullptr) { + Aws::Vector retryableErrors{ "IDPCommunicationError", "InvalidIdentityToken" }; - config.retryStrategy = Aws::MakeShared(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, retryableErrors, 3/*maxRetries*/); + config.retryStrategy = Aws::MakeShared(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, std::move(retryableErrors), 3/*maxRetries*/); + } m_client = Aws::MakeUnique(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config); m_initialized = true;