Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

STS does not respect ca cert setting #2920

Open
phoebusm opened this issue Apr 11, 2024 · 5 comments
Open

STS does not respect ca cert setting #2920

phoebusm opened this issue Apr 11, 2024 · 5 comments
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@phoebusm
Copy link

phoebusm commented Apr 11, 2024

Describe the bug

m_client = Aws::MakeUnique<Aws::Internal::STSCredentialsClient>(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config);

The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting

Expected Behavior

All authentication respects caPath and caFile setting.

Current Behavior

The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting

Reproduction Steps

In the below code, caFile is pointed to wrong ca file. Yet STS auth should still be able to return a valid token yet the connection to the storage should fail.

Aws::Client::ClientConfiguration config;
config.caFile = "WRONG_CA_FILE";
Aws::S3::S3Client s3_client(config, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never, false);
Aws::S3::Model::ListObjectsV2Request objects_request;
objects_request.WithBucket("abc");
auto list_objects_outcome = s3_client.ListObjectsV2(objects_request);

Possible Solution

No response

Additional Information/Context

No response

AWS CPP SDK version used

1.11.201

Compiler and Version used

gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Operating System and version

Ubuntu 22.04

@jmklix
Copy link
Member

jmklix commented Jun 14, 2024

Thanks for pointing this out to us. This is a problem with how the sts client was written, and will require a significant refactor of the sts client. This has been added to our backlog, but this is not something that will get completed this quarter. I don't have a timeline for when fixed, but I will update here when it does. Sorry for the delay

@jmklix jmklix added p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jun 14, 2024
@ryansburgoyne
Copy link

It appears I am not able to use IRSA in my EKS cluster for my C++ application because it requires a call to STS to fetch credentials using a web identity token. Is there any workaround?

@jmklix
Copy link
Member

jmklix commented Aug 7, 2024

@ryansburgoyne could you open a discussion and provide more details about what exactly you are trying to do?

@jmklix
Copy link
Member

jmklix commented Aug 7, 2024

related issue: #1963

@teo-tsirpanis
Copy link
Contributor

Blocked by adding support for passing ClientConfiguration to DefaultCredentialsProviderChain, which I will do after #3113 and #3116 get merged. After that, you can create a credentials provider with the client config yourself, and pass it to the client.

The real root cause of the issue would be fixed if curl's autodetection of the CA bundle happened also at runtime instead of only compile-time. Anyone interested can suggest it, if this has not already happened.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Development

No branches or pull requests

4 participants