Fix credential rotation issue for ECS-A Windows #3184

vsiddharth · 2022-04-20T22:14:11Z

Summary

Fix credential rotation issue for ECS-A Windows

Implementation details

Credentials were not being rotated properly on ECS-A Windows instances.
This patch addresses the issue by using the correct file-paths for
credentials on supported platforms. The credential chain hierarchy is
also updated on ECS-A windows to ensure that credential chain is not
broken for other launch types.

Testing

Manually updated the ECS-Agent on both ECS/EC2 and ECS/ECS-A Windows instances to validate credentials being refreshed.

New tests cover the changes: No

Description for the changelog

Bug - Fixed credential rotation issue with ECS-A Windows

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

agent/credentials/instancecreds/instancecreds.go

agent/credentials/providers/credentials_filename_linux.go

agent/credentials/providers/credentials_filename_windows.go

agent/credentials/providers/credentials_filename_unsupported.go

agent/credentials/instancecreds/instancecreds.go

agent/credentials/instancecreds/instancecreds_test.go

agent/credentials/instancecreds/instancecreds.go

Credentials were not being rotated properly on ECS-A Windows instances. This patch addresses the issue by using the correct file-paths for credentials on supported platforms. The credential chain hierarchy is also updated on ECS-A windows to ensure that credential chain is not broken for other launch types. Signed-off-by: Siddharth Vinothkumar <[email protected]>

jterry75 · 2022-04-28T16:45:58Z

agent/credentials/instancecreds/instancecreds_linux.go

+//    2. Shared credentials file (https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) (file at ~/.aws/credentials containing access key id and secret access key).
+//    3. EC2 role credentials. This is an IAM role that the user specifies when they launch their EC2 container instance (ie ecsInstanceRole (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html)).
+//    4. Rotating shared credentials file located at /rotatingcreds/credentials
+func GetCredentials(isExternal bool) *credentials.Credentials {


For Linux mark this as _ since its unused right?

jterry75

LGTM. Just one nit

agent/credentials/instancecreds/instancecreds_windows.go

jdstuart · 2022-04-30T16:55:00Z

@vsiddharth before merging should you also consider bumping the go version to 1.17 or 1.18 to add support for windows/arm64 architectures?
cc: @mythri-garaga @sparrc
PS. Thanks for the quick turnaround on this.

vsiddharth · 2022-05-02T20:53:43Z

@vsiddharth before merging should you also consider bumping the go version to 1.17 or 1.18 to add support for windows/arm64 architectures? cc: @mythri-garaga @sparrc PS. Thanks for the quick turnaround on this.

The agent is already using go 1.17.5

Can you please provide additional context on this?

sparrc · 2022-05-02T21:03:55Z

before merging should you also consider bumping the go version to 1.17 or 1.18 to add support for windows/arm64 architectures?

I think windows/arm64 would be a larger feature to support, are you currently custom-building the ecs agent to run on that platform?

jdstuart · 2022-05-02T22:11:14Z

No, we do not currently run on windows/arm64.

I mistakenly looked at https://github.com/aws/amazon-ecs-agent/blob/master/.travis.yml and thought go 1.15 is still used. I didn't see the GO_VERION files.

vsiddharth requested review from jterry75 and sparrc April 20, 2022 22:15

vsiddharth force-pushed the ecs-a-creds-win branch 2 times, most recently from 7b319e4 to 5212e8f Compare April 20, 2022 22:32