-
Notifications
You must be signed in to change notification settings - Fork 643
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STS Web Identity Credentials not cached #1321
Labels
Comments
@gregoryfranklin feel free to send a fix |
gregoryfranklin
added a commit
to gregoryfranklin/minio-go
that referenced
this issue
Jul 1, 2020
When using the STSWebIdentity credentials provider from the IAM credentials provider, we need to set the expiry time of the credentials. We therefore expose the expiry time in the STSWebIdentity credentials provider so that it can be used by the IAM credentials provider. Calls to IsExpired() on the IAM credentials provider will then work as they would have if it had been called on the underlying STSWebIdentity provider. Therefore caching the credentials as intended. Fixes minio#1321
harshavardhana
pushed a commit
that referenced
this issue
Jul 10, 2020
When using the STSWebIdentity credentials provider from the IAM credentials provider, we need to set the expiry time of the credentials. We, therefore, expose the expiry time in the STSWebIdentity credentials provider so that it can be used by the IAM credentials provider. Calls to IsExpired() on the IAM credentials provider will then work as they would have if it had been called on the underlying STSWebIdentity provider. Therefore caching the credentials as intended. Fixes #1321
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using
credentials.IAM{}
with AWS_WEB_IDENTITY_TOKEN_FILE, the credentials are not cached resulting in an AssumeRoleWithWebIdentity STS call on every request.#1183 added the ability to use the AWS_WEB_IDENTITY_TOKEN_FILE environment variable with
credentials.IAM{}
https://github.com/minio/minio-go/blob/v6.0.56/pkg/credentials/iam_aws.go#L83
It does this by creating the STSWebIdentity credentials provider in
func (m *IAM) Retrieve()
and callingRetrieve()
on thathttps://github.com/minio/minio-go/blob/v6.0.56/pkg/credentials/iam_aws.go#L107
However, when you call IsExpired() in the IAM credentials provider it always returns true because the expiry has been set on the STSWebIdentity credentials provider not on the IAM credentials provider.
For reference, in the case of ECS and EC2 roles, the expiry is set correctly
https://github.com/minio/minio-go/blob/v6.0.56/pkg/credentials/iam_aws.go#L140
In my case, the impact of this is that Thanos runs extremely when using IAM Roles for Service Accounts because it is making an STS call on every request to S3.
thanos-io/thanos#2097
The text was updated successfully, but these errors were encountered: