-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LoadOptions hook to configure STS/SSO credential clients #2686
Comments
Hi @gdavison , Thanks for reaching out. You can pass in package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/sts"
"os"
)
func main() {
ctx := context.Background()
os.Setenv("AWS_USE_FIPS_ENDPOINT", "true")
os.Setenv("AWS_ENDPOINT_URL_STS", "https://sts.ca-central-1.amazonaws.com/")
os.Setenv("AWS_REGION", "ca-central-1")
os.Setenv("AWS_PROFILE", "assume-role")
cfg, err := config.LoadDefaultConfig(ctx,
config.WithRegion("ca-central-1"),
config.WithAssumeRoleCredentialOptions(func(o *stscreds.AssumeRoleOptions) {
secondCfg, err := config.LoadDefaultConfig(
context.TODO(),
config.WithRegion("ca-central-1"),
config.WithClientLogMode(aws.LogRequestWithBody),
config.WithUseFIPSEndpoint(aws.FIPSEndpointStateDisabled),
)
if err != nil {
panic(err)
}
o.Client = sts.NewFromConfig(secondCfg)
}),
)
if err != nil {
panic(err)
}
_, err = cfg.Credentials.Retrieve(ctx)
if err != nil {
panic(err)
}
fmt.Println("Success.")
} let me know if this helps. Thanks, |
This issue has not received a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled. |
Please keep open |
Hi @tmccombs , Can you please elaborate on why this needs to be kept open? Did the workaround I provided not work for you? Thanks, |
Hi @RanVaknin. I haven't had a chance to check this out. I assume that @tmccombs has asked to keep this open because this issue relates to an issue that he submitted in https://github.com/hashicorp/terraform-provider-aws |
Ugh, I wrote a response, and it appears to have been lost somehow. Anyway, yes, an application could technically work around this, but doing so is rather complex. Consider an application where credentials could come from multiple sources, such as terraform. For this workaround, the application would need to look at the environment variables, and configuration files that the SDK usually looks at, to figure out if it should disable UseFips because an endpoint is specified. And in your example the region is a constant. What if the region comes from the credential source. Also, in my opinion it would be better for this to be implemented once in the SDK, rather than every application that uses the SDK having to solve it separately, possibly in inconsistent ways. |
Hi @RanVaknin. The sample code doesn't work when retrieving credentials from a shared config file, even without the FIPS setting and custom endpoint. The STS client makes two requests to First request:
The second request, issued immediately after
|
Also, to amplify @tmccombs's point above, see hashicorp/terraform-provider-aws#38057 which overrides the There would have been more changes, but not all services have an AWS SDK for Go v2 implementation yet 🙂 |
The reason you're getting two It seems like we're basically just missing a simple functional option helper e.g. cfg, err := config.LoadDefaultConfig(ctx, confg.WithSTSClientOptions(func(o *sts.Options)) {
o.EndpointOptions.UseFIPSEndpoint = blah
}) |
@lucix-aws, yes, I think that would work |
UseFIPSEndpoint
setting and Assuming IAM Role from shared config file
Acknowledgements
go get -u github.com/aws/aws-sdk-go-v2/...
)Describe the bug
When
config.LoadDefaultConfig
),UseFIPSEndpoint
totrue
, andca-central-1
)resolving credentials fails with the error
When overriding the endpoint, as suggested in the AWS CLI documentation, it fails with the error
Expected Behavior
Based on previous discussion (#2336 (comment)), the first failure is expected.
When providing a custom endpoint, the
UseFIPSEndpoint
(andUseDualStackEndpoint
) flags should be cleared so that the endpoint can be used.Current Behavior
Because
config.LoadDefaultConfig
creates its own STS client internally, there is no way to clear theUseFIPSEndpoint
setting when also using a custom endpoint.Using a global
aws.EndpointResolverWithOptions
does work to set the endpoint without theInvalid Configuration: FIPS and custom endpoint are not supported
error, butaws.EndpointResolverWithOptions
is now deprecated. It also doesn't directly support setting endpoints via environment variables or the shared configuration file.Note that the AWS CLI also fails in this situation:
fails with
Reproduction Steps
package main
The config file
Possible Solution
No response
Additional Information/Context
No response
AWS Go SDK V2 Module Versions Used
require github.com/aws/aws-sdk-go-v2/config v1.27.19
require (
github.com/aws/aws-sdk-go-v2 v1.28.0 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.19 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.6 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.10 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.10 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.12 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.12 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.6 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.28.13 // indirect
github.com/aws/smithy-go v1.20.2 // indirect
)
Compiler and Version used
go version go1.22.1 darwin/arm64
Operating System and version
macOS 13.6.7
The text was updated successfully, but these errors were encountered: