I m having an issue with AWS container credentials GetCreden kotlinlang #http4k

I’m having an issue with AWS container credentials...

dmcg

01/09/2024, 2:51 PM

I’m having an issue with AWS container credentials. GetCredentialsResponse is parsing fine, but the ARN in the response is not an ARN. We’re seeing responses like

Copy code

{
  "RoleArn": "AQICAH... lots of chars ...N62A==",
  "AccessKeyId": "ASIA...",
  "SecretAccessKey": "***",
  "Token": "IQo....",
  "Expiration": "2024-01-09T14:51:19Z"
}

The token appears to be valid as far as I can see, but RoleArn is failing to parse as an ARN and throwing a wobbly before the token can be used. I note that the type is declared as a String? in the response object - maybe that’s significant (@Andrew O'Hara ?)

Andrew O'Hara

01/09/2024, 2:56 PM

I think that's more of a @dave question!

dmcg

01/09/2024, 2:56 PM

He suggested you!

dave

01/09/2024, 2:56 PM

lol

Andrew O'Hara

01/09/2024, 2:57 PM

image.png

dmcg

01/09/2024, 2:57 PM

More Mexican I think

dave

01/09/2024, 2:58 PM

well that role arn is a encrypted base64 binary value. The docs (as far as I can see (which is this at the moment) say that value is an ARN (arn://....

dave

01/09/2024, 2:58 PM

more: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

dave

01/09/2024, 2:58 PM

Copy code

{
  "AccessKeyId": "ACCESS_KEY_ID",
  "Expiration": "EXPIRATION_DATE",
  "RoleArn": "TASK_ROLE_ARN",
  "SecretAccessKey": "SECRET_ACCESS_KEY",
  "Token": "SECURITY_TOKEN_STRING"
}

dave

01/09/2024, 2:58 PM

from that ^

Andrew O'Hara

01/09/2024, 2:59 PM

So Dave are you saying the ARN in the response seems valid to you?

dave

01/09/2024, 3:00 PM

no - I'm saying that the value @dmcg is seeing is NOT what seems to be documented

dmcg

01/09/2024, 3:00 PM

Yeah, the response I posted was from that curl both in and outside the container. I’m pretty convinced that it is what the endpoint is returning

Andrew O'Hara

01/09/2024, 3:00 PM

Gotcha. Duncan, is that causing a runtime error? Or is it just something you've noticed?

dave

01/09/2024, 3:01 PM

yep - it get's busted when attempting to create an ARN from that value

dmcg

01/09/2024, 3:01 PM

Yes it’s failing because of asCredentials

Copy code

data class GetCredentialsResponse(
    val Token: SessionToken,
    val AccessKeyId: AccessKeyId,
    val SecretAccessKey: SecretAccessKey,
    val Expiration: Expiration,
    val RoleArn: String?
) {
    fun asCredentials(): Credentials {
        val roleArn = when (RoleArn) {
            "NOT_SUPPLIED", null -> null
            else -> ARN.of(RoleArn)
        }
        return Credentials(Token, AccessKeyId, SecretAccessKey, Expiration, roleArn)
    }
}

dmcg

01/09/2024, 3:02 PM

If I patch that out I can use Credentials with a null

roleArn

Andrew O'Hara

01/09/2024, 3:03 PM

So, to be clear, you're running against real AWS? I've never seen this issue before. Could there be something unique about the role you're using?

dmcg

01/09/2024, 3:04 PM

IAM unique yes, but I don’t think it’s particularly special. It is in real AWS

dmcg

01/09/2024, 3:05 PM

A role for CodeBuild FWIW

dave

01/09/2024, 3:08 PM

@dmcg you could patch it out so that if it blows up you return the same credentials without the arn

dave

01/09/2024, 3:08 PM

and then PR it 😉

dmcg

01/09/2024, 3:09 PM

That’s pretty much what I have, and I’m happy to PR, but wanted to check that I’m not being a numpty before I do

dave

01/09/2024, 3:09 PM

well it does seem strange, but if AWS are doing undocumented random stuff then we need to work around it somehow

Andrew O'Hara

01/09/2024, 3:33 PM

Seems reasonable to me

dmcg

01/09/2024, 3:56 PM

https://github.com/http4k/http4k-connect/pull/347

👍 1

8 Views

Open in Slack

Previous Next