Add new STSProfileWithWebIdentityCredentialsProvider #4137
Conversation
|
This pull request has been linked to Shortcut Story #30586: Add Custom Credentials Provider for STS And Web Identity. |
Shelnutt2
force-pushed
the
sethshelnutt/sc-30586/add-custom-credentials-provider-for-sts
branch
2 times, most recently
from
f92ba78 to
48e5fff
Compare
Shelnutt2
force-pushed
the
sethshelnutt/sc-30586/add-custom-credentials-provider-for-sts
branch
from
409f552 to
b23ccef
Compare
| endif() | ||
| if(WIN32) | ||
| if(MSVC) | ||
| find_library(BCRYPT_LIBRARY bcrypt) |
There was a problem hiding this comment.
For future reference, newer AWS SDK versions have a separate list of non-core linkage which includes this, so we should be able to remove this in the future once we have a sufficiently high minimum version.
| find_package(AWSSDK_EP REQUIRED COMPONENTS s3) | ||
| this_target_link_libraries(INTERFACE ${AWSSDK_LINK_LIBRARIES}) | ||
| else() | ||
| find_package(AWSSDK_EP REQUIRED COMPONENTS s3) |
There was a problem hiding this comment.
(planning to eventually move this out to an overlay: https://devblogs.microsoft.com/cppblog/using-system-package-manager-dependencies-with-vcpkg/)
| * | ||
| * This file implements the S3 Credentials Provider to support STS and Web | ||
| * Identity. | ||
| */ |
There was a problem hiding this comment.
Suggest linking to upstream implementation so people can reference it if needed (ie if changes are made there, we may need to reflect them here): https://github.com/aws/aws-sdk-cpp/blob/main/src/aws-cpp-sdk-identity-management/source/auth/STSProfileCredentialsProvider.cpp
There was a problem hiding this comment.
We might also want to make a feature request upstream so that this can go away eventually.
This new credential provider support chaining of assume from based on a profile configuration including support for web identity tokens as part of the chain. This is based on the upstream `STSProfileCredentialProvider`. The upstream credential provider lacks support for the web identity tokens. The main use case for this is inside EC2/ECS/EKS environments where a web identity token can be used as part of IRSA sequences.
This is a workaround until thr curl interfacr correctly handles system libraries.
This is a temporary workaround. In a followup we will add this back and correctly setup the filesystem object library. The filesytem object library had a few issues with s3 that expanded beyond the scope of this PR.
Shelnutt2
force-pushed
the
sethshelnutt/sc-30586/add-custom-credentials-provider-for-sts
branch
from
310e1be to
7bfeed3
Compare
|
I've rebased, tested and confirmed now that #4131 was merged. This is working with our test case. |
Shelnutt2
deleted the
sethshelnutt/sc-30586/add-custom-credentials-provider-for-sts
branch
This new credential provider support chaining of assume from based on a profile configuration including support for web identity tokens as part of the chain. This is based on the upstream
STSProfileCredentialProvider. The upstream credential provider lacks support for the web identity tokens.The main use case for this is inside EC2/ECS/EKS environments where a web identity token can be used as part of IRSA sequences.
This is configured for the new config_source via:
cfg["vfs.s3.config_source"] = "sts_profile_with_web_identity"TYPE: FEATURE
DESC: Support new
STSProfileWithWebIdentityCredentialsProviderS3 credential provider