fix: Support AWS_CONTAINER_CREDENTIALS_FULL_URI metadata endpoint

Support loading credentials from the AWS_CONTAINER_CREDENTIALS_FULL_URI metadata endpoint which is helpful for AWS SnapStart lamdbas Fixes open-policy-agent#6893 Signed-off-by: Matthew Bamber <[email protected]>
mbamber · Jul 26, 2024 · 22ebb20 · 22ebb20
1 parent d48fdd9
commit 22ebb20
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/docs/content/configuration.md b/docs/content/configuration.md
@@ -393,7 +393,9 @@ To use the EC2 metadata service, the IAM role to use and the AWS region for the
 be specified as `iam_role` and `aws_region` respectively.
 
 To use the ECS metadata service, specify only the AWS region for the resource as `aws_region`. ECS
-containers have at most one associated IAM role.
+containers have at most one associated IAM role. As per the [AWS documentation](https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html), credentials are
+sourced from the `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` metadata environment variable or the
+`AWS_CONTAINER_CREDENTIALS_FULL_URI` metadata environment variable in order.
 
 > Providing a value for `iam_role` will cause OPA to use the EC2 metadata service even
 > if running inside an ECS container. This may result in unexpected problems if, for example,

diff --git a/plugins/rest/aws.go b/plugins/rest/aws.go
@@ -32,6 +32,7 @@ const (
 	// ref. https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html
 	ecsDefaultCredServicePath = "http://169.254.170.2"
 	ecsRelativePathEnvVar     = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+	ecsFullPathEnvVar         = "AWS_CONTAINER_CREDENTIALS_FULL_URI"
 
 	// ref. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
 	stsDefaultDomain = "amazonaws.com"
@@ -211,7 +212,12 @@ func (cs *awsMetadataCredentialService) urlForMetadataService() (string, error)
 	// otherwise, check environment to see if it looks like we're in an ECS
 	// container (with implied role association)
 	if isECS() {
-		return ecsDefaultCredServicePath + os.Getenv(ecsRelativePathEnvVar), nil
+		// first check if the relative env var exists; if so we use that otherwise we
+		// use the "full" var
+		if _, relativeExists := os.LookupEnv(ecsRelativePathEnvVar); relativeExists {
+			return ecsDefaultCredServicePath + os.Getenv(ecsRelativePathEnvVar), nil
+		}
+		return os.Getenv(ecsFullPathEnvVar), nil
 	}
 	// if there's no role name and we don't appear to have a path to the
 	// ECS container service, then the configuration is invalid
@@ -604,8 +610,9 @@ func (cs *awsWebIdentityCredentialService) credentials(ctx context.Context) (aws
 
 func isECS() bool {
 	// the special relative path URI is set by the container agent in the ECS environment only
-	_, isECS := os.LookupEnv(ecsRelativePathEnvVar)
-	return isECS
+	_, isECSRelative := os.LookupEnv(ecsRelativePathEnvVar)
+	_, isECSFull := os.LookupEnv(ecsFullPathEnvVar)
+	return isECSRelative || isECSFull
 }
 
 // ecrAuthPlugin authorizes requests to AWS ECR.