Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STS does not respect ca cert setting #2920

Open
phoebusm opened this issue Apr 11, 2024 · 4 comments
Open

STS does not respect ca cert setting #2920

phoebusm opened this issue Apr 11, 2024 · 4 comments
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@phoebusm
Copy link

phoebusm commented Apr 11, 2024
edited
Loading

Describe the bug

aws-sdk-cpp/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp

Line 110 in e9d0d24

m_client = Aws::MakeUnique<Aws::Internal::STSCredentialsClient>(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config);

The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting

Expected Behavior

All authentication respects caPath and caFile setting.

Current Behavior

The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting

Reproduction Steps

In the below code, caFile is pointed to wrong ca file. Yet STS auth should still be able to return a valid token yet the connection to the storage should fail.

Aws::Client::ClientConfiguration config;
config.caFile = "WRONG_CA_FILE";
Aws::S3::S3Client s3_client(config, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never, false);
Aws::S3::Model::ListObjectsV2Request objects_request;
objects_request.WithBucket("abc");
auto list_objects_outcome = s3_client.ListObjectsV2(objects_request);

Possible Solution

No response

Additional Information/Context

No response

AWS CPP SDK version used

1.11.201

Compiler and Version used

gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Operating System and version

Ubuntu 22.04
@phoebusm phoebusm added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 11, 2024
@phoebusm phoebusm mentioned this issue Apr 11, 2024
Open
@jmklix
Copy link
Member

jmklix commented Jun 14, 2024

Thanks for pointing this out to us. This is a problem with how the sts client was written, and will require a significant refactor of the sts client. This has been added to our backlog, but this is not something that will get completed this quarter. I don't have a timeline for when fixed, but I will update here when it does. Sorry for the delay

@jmklix jmklix added p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jun 14, 2024
@ryansburgoyne
Copy link

It appears I am not able to use IRSA in my EKS cluster for my C++ application because it requires a call to STS to fetch credentials using a web identity token. Is there any workaround?

@jmklix
Copy link
Member

jmklix commented Aug 7, 2024

@ryansburgoyne could you open a discussion and provide more details about what exactly you are trying to do?

@jmklix
Copy link
Member

jmklix commented Aug 7, 2024

related issue: #1963

@jmklix jmklix mentioned this issue Aug 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ryansburgoyne @jmklix @phoebusm