Adds accountId to STS credentials providers #4040
Conversation
cenedhryn
force-pushed
the
salande/accountid-add-sts
branch
from
540597a to
d9a4675
Compare
.../java/software/amazon/awssdk/services/sts/auth/StsGetFederationTokenCredentialsProvider.java
Show resolved
Hide resolved
...ces/sts/src/main/java/software/amazon/awssdk/services/sts/auth/SessionCredentialsHolder.java
Outdated
Show resolved
Hide resolved
...ava/software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenFileCredentialsProvider.java
Outdated
Show resolved
Hide resolved
core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsBasicCredentials.java
Outdated
Show resolved
Hide resolved
core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsBasicCredentials.java
Outdated
Show resolved
Hide resolved
core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentials.java
Show resolved
Hide resolved
...ces/sts/src/main/java/software/amazon/awssdk/services/sts/auth/SessionCredentialsHolder.java
Outdated
Show resolved
Hide resolved
| @@ -123,7 +124,16 @@ public Duration prefetchTime() { | |||
| /** | |||
| * Implemented by a child class to call STS and get a new set of credentials to be used by this provider. | |||
| */ | |||
| protected abstract Credentials getUpdatedCredentials(StsClient stsClient); | |||
| protected abstract SessionCredentialsHolder getUpdatedCredentials(StsClient stsClient); | |||
There was a problem hiding this comment.
This is technically backwards-incompatible since this is a public class. That said, it was only recently made public so it's probably not a problem.
SessionCredentialsHolder isn't a public type, though, so we probably shouldn't expose it on a protected method of a public class. Is there a better way to get the credential information up to this type? Maybe just have the subtypes return AwsSessionCredentials directly? Add the optional expiration to AwsSessionCredentials as well?
There was a problem hiding this comment.
I was a bit confused by the public part, because that change went out at the same time that this PR was created.
Changing signature to AwsSessionCredentials - note that the code does not use SessionCredentialsHolder anymore, the RefreshResult uses . If this change is approved, we can remove SessionCredentialsHolder from the public PR (the non-identity non-accountId changes should probably be punted to master asap before customers have more time to use the newly public class)
services/sts/src/main/java/software/amazon/awssdk/services/sts/auth/StsCredentialsProvider.java
Outdated
Show resolved
Hide resolved
| * This should be accessed via {@link AnonymousCredentialsProvider#resolveCredentials()}. | ||
| */ | ||
| @SdkInternalApi | ||
| static final AwsBasicCredentials ANONYMOUS_CREDENTIALS = new AwsBasicCredentials(null, null, false); | ||
| static final AwsBasicCredentials ANONYMOUS_CREDENTIALS = builder().validateCredentials(Boolean.FALSE).build(); |
|
|
||
| if (validateCredentials) { | ||
| if (Boolean.TRUE.equals(builder.validateCredentials)) { |
There was a problem hiding this comment.
nit: can be if (builder.validateCredentials) { if it is changed to boolean
core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsBasicCredentials.java
Show resolved
Hide resolved
| @@ -27,22 +27,48 @@ | |||
| @SdkInternalApi | |||
| @ThreadSafe | |||
| final class SessionCredentialsHolder { | |||
There was a problem hiding this comment.
Do we even need this anymore, since the expiration is in the session credentials now?
There was a problem hiding this comment.
It will be removed in subsequent PRs.
|
SonarCloud Quality Gate failed.
|
| /** | ||
| * Whether this class should verify that accessKeyId and secretAccessKey are not null. | ||
| */ | ||
| Builder validateCredentials(Boolean validateCredentials) { |
There was a problem hiding this comment.
nit: I think this can be boolean too.
| return Optional.ofNullable(accountId); | ||
| } | ||
|
|
||
| public Optional<Instant> expiration() { |
There was a problem hiding this comment.
If this makes sense to add to this interface, why not add it to AwsSessionCredentialsIdentity and @Override here.
There was a problem hiding this comment.
Oh, the top Identity interface already defines expirationTime(), which is what we should use.
Adds accountId to STS credentials providers
…5119) * Adds account ID as a built-in endpoint parameter (#4016) * Refactors credential identity with separate implementing classes (#4024) (#4028) * Adds accountId as a parameter to AWS credentials identity (#4029) * Adds accountId to STS credentials providers (#4040) * Adding accountId support to environment variable credential provider (#4327) * Adds accountId support to process credentials provider (#4332) * Adds account ID support for profile credentials provider sources (#4340) * Adds accountId endpoint mode (#4984) * Adding back existing endpoint files (#5120) * changelog (#5121)
…ws#5119) * Adds account ID as a built-in endpoint parameter (aws#4016) * Refactors credential identity with separate implementing classes (aws#4024) (aws#4028) * Adds accountId as a parameter to AWS credentials identity (aws#4029) * Adds accountId to STS credentials providers (aws#4040) * Adding accountId support to environment variable credential provider (aws#4327) * Adds accountId support to process credentials provider (aws#4332) * Adds account ID support for profile credentials provider sources (aws#4340) * Adds accountId endpoint mode (aws#4984) * Adding back existing endpoint files (aws#5120) * changelog (aws#5121)
Motivation and Context
STS provides accountId in the ARN of the assumedRoleUser included in its response objects. This PR extracts that accountId, if present, and adds it to the credentials identity.
Resolving credentials end-to-end should work once credentials are resolved before the endpoint.
Modifications
AwsBasicCredentialsandAwsSessionCredentialssince the credentials providers use those classes.Testing
Added codegen classes test to verify that the accountId is available to the endpoint resolution logic. Because we currently resolve the endpoint before we resolve credentials, this test is not working.