Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assumeRole chain support #224

Merged
merged 30 commits into from
Jan 18, 2024
Merged

assumeRole chain support #224

merged 30 commits into from
Jan 18, 2024

Conversation

waahm7
Copy link
Contributor

@waahm7 waahm7 commented Jan 10, 2024
edited
Loading

Description of changes:
Adds support for STS assumeRole chaining.
Rules:

  • When chaining assume role profiles, SDKs must terminate the chain as soon as they hit a profile with static credentials even if the profile also contains a source_profile.
  • A profile is allowed to use itself as a source profile for static credentials.

Examples:

  1. ProfileA contains static creds
    • Return credentials from the profile
  2. ProfileA contains static creds as well as source profile set to ProfileA
    • Use static creds in ProfileA to call the sts assumeRole and returns the credentials from the sts assumeRole call.
  3. ProfileA contains source_profile set to ProfileB. ProfileB contains static creds.
    • Use static creds in ProfileB to call the sts assumeRole and return the credentials from the sts assumeRole call.
  4. ProfileA contains source_profile set to ProfileB. ProfileB contains source_profile set to ProfileC. ProfileC contains static creds.
    • Use static creds in ProfileC to call the sts assumeRole with role_arn from profileB.
    • Use the response creds to call sts assumeRole again with role_arn from profileA.
    • Return creds from the second STS call.
  5. ProfileA contains source_profile set to ProfileB. ProfileB contains source_profile set to ProfileC and static creds. ProfileC contains static creds.
    • Use static creds in ProfileB to call the sts assumeRole with role_arn from profileA.
    • Return creds from the STS call.
  6. ProfileA contains source_profile set to ProfileB. ProfileB contains source_profile set to ProfileA with/without static creds.
    • Error out with profile contains a cycle
  7. ProfileA contains source_profile set to ProfileB. ProfileB contains source_profile set to ProfileC and also contains partial static credentials. Profile C contains credentials.
    • Error out with partial credentials error.
  8. ProfileA contains source_profile set to ProfileB and static creds. ProfileB contains static creds.
    • Use static creds in ProfileB to call the sts assumeRole and return the credentials from the sts assumeRole call.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@codecov-commenter
Copy link

codecov-commenter commented Jan 10, 2024
edited
Loading

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (3ce2463) 79.57% compared to head (cb467b5) 79.62%.

Files Patch % Lines
source/credentials_provider_profile.c 89.18% 4 Missing ⚠️
source/credentials_provider_sts.c 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #224      +/-   ##
==========================================
+ Coverage   79.57%   79.62%   +0.05%     
==========================================
  Files          33       33              
  Lines        5798     5832      +34     
==========================================
+ Hits         4614     4644      +30     
- Misses       1184     1188       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@waahm7 waahm7 changed the title WIP | assumeRole chain support assumeRole chain support Jan 17, 2024
@waahm7 waahm7 marked this pull request as ready for review January 17, 2024 00:39
DmitriyMusatkin
DmitriyMusatkin reviewed Jan 17, 2024
View reviewed changes
source/credentials_provider_profile.c Outdated
allocator,
3,
aws_hash_byte_cursor_ptr,
(aws_hash_callback_eq_fn *)aws_byte_cursor_eq,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any function type casting is ub. it will probably work in most cases, but its still better to wrap

source/credentials_provider_profile.c
@@ -428,11 +455,35 @@ struct aws_credentials_provider *aws_credentials_provider_new_profile(
goto on_finished;
}
const struct aws_profile_property *role_arn_property = aws_profile_get_property(profile, s_role_arn_name);
bool profile_contains_access_key = aws_profile_get_property(profile, s_access_key_id_profile_var);
bool profile_contains_secret_access_key = aws_profile_get_property(profile, s_secret_access_key_profile_var);
bool profile_contains_credentials = profile_contains_access_key || profile_contains_secret_access_key;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be end? cred should not be valid if it only contains one of the 2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's an Or condition so that we don't treat the profile as an STS profile, even if partial creds are present at https://github.com/awslabs/aws-c-auth/pull/224/files#diff-f7cca12a8538a30712ad4b18e39bb61a240457b820982e916f6f27e76628c64fR477. Later, we fail the creation as invalid if either of them is missing at https://github.com/awslabs/aws-c-auth/pull/224/files#diff-f7cca12a8538a30712ad4b18e39bb61a240457b820982e916f6f27e76628c64fR481. This handles cases where the config file is as follows:


[profile userA]
role_arn =  arn
source_profile = userB

[profile userB]
role_arn = arn
aws_access_key_id = accessJey
source_profile = userC

[profile userC]
aws_access_key_id = acess_key
secret_access_key_id = secret

We should fail the request at profileB due to partial credentials instead of using creds from profileC. I copied this behavior from the AWS CLI.

graebm
graebm approved these changes Jan 17, 2024
View reviewed changes
source/credentials_provider_profile.c Outdated Show resolved Hide resolved
source/credentials_provider_profile.c Outdated Show resolved Hide resolved
@waahm7 waahm7 merged commit 7911fa2 into main Jan 18, 2024
29 checks passed
@waahm7 waahm7 deleted the assumeRoleChain branch January 18, 2024 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyMusatkin DmitriyMusatkin DmitriyMusatkin approved these changes

@graebm graebm graebm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@waahm7 @codecov-commenter @graebm @DmitriyMusatkin