From 8ce5d4dbd21d676049ad3a092a3b738a8afcc3a8 Mon Sep 17 00:00:00 2001 From: Stephen Wakely Date: Thu, 11 Apr 2024 12:33:30 +0100 Subject: [PATCH 1/4] Use http client when building assume role for AccessKey. Signed-off-by: Stephen Wakely --- src/aws/auth.rs | 61 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/src/aws/auth.rs b/src/aws/auth.rs index b975c2a51d02c..842dfaf3e1051 100644 --- a/src/aws/auth.rs +++ b/src/aws/auth.rs @@ -206,6 +206,33 @@ impl AwsAuthentication { } } + /// Create the AssumeRoleProviderBuilder, ensuring we create the HTTP client with + /// the correct proxy and TLS options. + fn assume_role_provider_builder( + proxy: &ProxyConfig, + tls_options: &Option, + region: &Region, + assume_role: &str, + external_id: Option<&str>, + ) -> crate::Result { + let connector = super::connector(proxy, tls_options)?; + let config = SdkConfig::builder() + .http_client(connector) + .region(region.clone()) + .time_source(SystemTimeSource::new()) + .build(); + + let mut builder = AssumeRoleProviderBuilder::new(assume_role) + .region(region.clone()) + .configure(&config); + + if let Some(external_id) = external_id { + builder = builder.external_id(external_id) + } + + Ok(builder) + } + /// Returns the provider for the credentials based on the authentication mechanism chosen. pub async fn credentials_provider( &self, @@ -228,12 +255,13 @@ impl AwsAuthentication { )); if let Some(assume_role) = assume_role { let auth_region = region.clone().map(Region::new).unwrap_or(service_region); - let mut builder = - AssumeRoleProviderBuilder::new(assume_role).region(auth_region); - - if let Some(external_id) = external_id { - builder = builder.external_id(external_id) - } + let builder = Self::assume_role_provider_builder( + proxy, + tls_options, + &auth_region, + assume_role, + external_id.as_deref(), + )?; let provider = builder.build_from_provider(provider).await; @@ -264,20 +292,13 @@ impl AwsAuthentication { .. } => { let auth_region = region.clone().map(Region::new).unwrap_or(service_region); - let connector = super::connector(proxy, tls_options)?; - let config = SdkConfig::builder() - .http_client(connector) - .region(auth_region.clone()) - .time_source(SystemTimeSource::new()) - .build(); - - let mut builder = AssumeRoleProviderBuilder::new(assume_role) - .region(auth_region.clone()) - .configure(&config); - - if let Some(external_id) = external_id { - builder = builder.external_id(external_id) - } + let builder = Self::assume_role_provider_builder( + proxy, + tls_options, + &auth_region, + assume_role, + external_id.as_deref(), + )?; let provider = builder .build_from_provider( From 0c468b238b370e897ab880801887ac1ba87cc473 Mon Sep 17 00:00:00 2001 From: Stephen Wakely Date: Thu, 11 Apr 2024 12:58:47 +0100 Subject: [PATCH 2/4] Added changelog. Signed-off-by: Stephen Wakely --- .../20282_aws_access_key_id_and_assume_role_auth.fix.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelog.d/20282_aws_access_key_id_and_assume_role_auth.fix.md diff --git a/changelog.d/20282_aws_access_key_id_and_assume_role_auth.fix.md b/changelog.d/20282_aws_access_key_id_and_assume_role_auth.fix.md new file mode 100644 index 0000000000000..9e70c5747f631 --- /dev/null +++ b/changelog.d/20282_aws_access_key_id_and_assume_role_auth.fix.md @@ -0,0 +1,5 @@ +Vector would panic when attempting to use a combination af `access_key_id` and +`assume_role` authentication with the AWS components. This error has now been +fixed. + +authors: StephenWakely From afbef0ba4e64fe6ed8f5ade5ff42639a7251abaf Mon Sep 17 00:00:00 2001 From: Stephen Wakely Date: Fri, 12 Apr 2024 12:06:00 +0100 Subject: [PATCH 3/4] Add custom http connector for file auth. Signed-off-by: Stephen Wakely --- src/aws/auth.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/aws/auth.rs b/src/aws/auth.rs index 842dfaf3e1051..bf7f67395632c 100644 --- a/src/aws/auth.rs +++ b/src/aws/auth.rs @@ -273,14 +273,21 @@ impl AwsAuthentication { credentials_file, profile, } => { + let connector = super::connector(proxy, tls_options)?; + // The SDK uses the default profile out of the box, but doesn't provide an optional // type in the builder. We can just hardcode it so that everything works. let profile_files = ProfileFiles::builder() .with_file(ProfileFileKind::Credentials, credentials_file) .build(); + + let provider_config = ProviderConfig::empty() + .with_http_client(connector); + let profile_provider = ProfileFileCredentialsProvider::builder() .profile_files(profile_files) .profile_name(profile) + .configure(&provider_config) .build(); Ok(SharedCredentialsProvider::new(profile_provider)) } From 8e3d46a2f45b3dcad07c467abdca675bd2375230 Mon Sep 17 00:00:00 2001 From: Stephen Wakely Date: Fri, 12 Apr 2024 13:23:09 +0100 Subject: [PATCH 4/4] Formatting Signed-off-by: Stephen Wakely --- src/aws/auth.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/aws/auth.rs b/src/aws/auth.rs index bf7f67395632c..c0e65b5dc85ba 100644 --- a/src/aws/auth.rs +++ b/src/aws/auth.rs @@ -281,8 +281,7 @@ impl AwsAuthentication { .with_file(ProfileFileKind::Credentials, credentials_file) .build(); - let provider_config = ProviderConfig::empty() - .with_http_client(connector); + let provider_config = ProviderConfig::empty().with_http_client(connector); let profile_provider = ProfileFileCredentialsProvider::builder() .profile_files(profile_files)