Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STS Web Identity Credentials not cached #1321

Closed
gregoryfranklin opened this issue Jul 1, 2020 · 1 comment
Closed

STS Web Identity Credentials not cached #1321

gregoryfranklin opened this issue Jul 1, 2020 · 1 comment
Labels
fixed

Comments

@gregoryfranklin
Copy link
Contributor

When using credentials.IAM{} with AWS_WEB_IDENTITY_TOKEN_FILE, the credentials are not cached resulting in an AssumeRoleWithWebIdentity STS call on every request.

#1183 added the ability to use the AWS_WEB_IDENTITY_TOKEN_FILE environment variable with credentials.IAM{}
https://github.com/minio/minio-go/blob/v6.0.56/pkg/credentials/iam_aws.go#L83
It does this by creating the STSWebIdentity credentials provider in func (m *IAM) Retrieve() and calling Retrieve() on that
https://github.com/minio/minio-go/blob/v6.0.56/pkg/credentials/iam_aws.go#L107

However, when you call IsExpired() in the IAM credentials provider it always returns true because the expiry has been set on the STSWebIdentity credentials provider not on the IAM credentials provider.

For reference, in the case of ECS and EC2 roles, the expiry is set correctly
https://github.com/minio/minio-go/blob/v6.0.56/pkg/credentials/iam_aws.go#L140

In my case, the impact of this is that Thanos runs extremely when using IAM Roles for Service Accounts because it is making an STS call on every request to S3.
thanos-io/thanos#2097
@harshavardhana
Copy link
Member

@gregoryfranklin feel free to send a fix

@gregoryfranklin gregoryfranklin mentioned this issue Jul 1, 2020
Closed
gregoryfranklin added a commit to gregoryfranklin/minio-go that referenced this issue Jul 1, 2020
@gregoryfranklin
Cache STS Web Identity Credentials
648105a 
When using the STSWebIdentity credentials provider from the IAM
credentials provider, we need to set the expiry time of the credentials.

We therefore expose the expiry time in the STSWebIdentity credentials
provider so that it can be used by the IAM credentials provider.

Calls to IsExpired() on the IAM credentials provider will then work as
they would have if it had been called on the underlying STSWebIdentity
provider.  Therefore caching the credentials as intended.

Fixes minio#1321
@gregoryfranklin gregoryfranklin mentioned this issue Jul 1, 2020
Merged
harshavardhana pushed a commit that referenced this issue Jul 10, 2020
@gregoryfranklin
Cache STS Web Identity Credentials (#1322)
b486ba1 
When using the STSWebIdentity credentials provider from the IAM
credentials provider, we need to set the expiry time of the credentials.

We, therefore, expose the expiry time in the STSWebIdentity credentials
provider so that it can be used by the IAM credentials provider.

Calls to IsExpired() on the IAM credentials provider will then work as
they would have if it had been called on the underlying STSWebIdentity
provider.  Therefore caching the credentials as intended.

Fixes #1321
@heimweh heimweh mentioned this issue Aug 3, 2020
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@harshavardhana @gregoryfranklin