6969_DEFAULT_AWS_REGIONAL_CREDENTIAL_VERIFICATION_URL = (
7070 "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
7171)
72+ # IMDSV2 session token lifetime. This is set to a low value because the session token is used immediately.
73+ _IMDSV2_SESSION_TOKEN_TTL_SECONDS = "300"
7274
7375
7476class RequestSigner (object ):
@@ -476,9 +478,9 @@ def get_aws_region(self, context, request):
476478 else response .data
477479 )
478480
479- if response .status != 200 :
481+ if response .status != http_client . OK :
480482 raise exceptions .RefreshError (
481- "Unable to retrieve AWS region" , response_body
483+ "Unable to retrieve AWS region: {}" . format ( response_body )
482484 )
483485
484486 # This endpoint will return the region in format: us-east-2b.
@@ -487,16 +489,19 @@ def get_aws_region(self, context, request):
487489
488490 def _get_imdsv2_session_token (self , request ):
489491 if request is not None and self ._imdsv2_session_token_url is not None :
490- headers = {"X-aws-ec2-metadata-token-ttl-seconds" : "300" }
492+ headers = {
493+ "X-aws-ec2-metadata-token-ttl-seconds" : _IMDSV2_SESSION_TOKEN_TTL_SECONDS
494+ }
491495
492496 imdsv2_session_token_response = request (
493497 url = self ._imdsv2_session_token_url , method = "PUT" , headers = headers
494498 )
495499
496- if imdsv2_session_token_response .status != 200 :
500+ if imdsv2_session_token_response .status != http_client . OK :
497501 raise exceptions .RefreshError (
498- "Unable to retrieve AWS Session Token" ,
499- imdsv2_session_token_response .data ,
502+ "Unable to retrieve AWS Session Token: {}" .format (
503+ imdsv2_session_token_response .data
504+ )
500505 )
501506
502507 return imdsv2_session_token_response .data
@@ -545,7 +550,7 @@ def _get_metadata_security_credentials(
545550
546551 if response .status != http_client .OK :
547552 raise exceptions .RefreshError (
548- "Unable to retrieve AWS security credentials" , response_body
553+ "Unable to retrieve AWS security credentials: {}" . format ( response_body )
549554 )
550555
551556 credentials_response = json .loads (response_body )
@@ -593,7 +598,7 @@ def _get_metadata_role_name(self, request, imdsv2_session_token):
593598
594599 if response .status != http_client .OK :
595600 raise exceptions .RefreshError (
596- "Unable to retrieve AWS role name" , response_body
601+ "Unable to retrieve AWS role name {}" . format ( response_body )
597602 )
598603
599604 return response_body
@@ -690,7 +695,7 @@ def __init__(
690695 "regional_cred_verification_url"
691696 )
692697
693- # Get the environment ID. Currently, only one version supported (v1 ).
698+ # Get the environment ID, i.e. "aws1". Currently, only one version supported (1 ).
694699 matches = re .match (r"^(aws)([\d]+)$" , environment_id )
695700 if matches :
696701 env_id , env_version = matches .groups ()
@@ -701,7 +706,7 @@ def __init__(
701706 raise exceptions .InvalidResource (
702707 "No valid AWS 'credential_source' provided"
703708 )
704- elif int ( env_version or "" ) != 1 :
709+ elif env_version is None or int ( env_version ) != 1 :
705710 raise exceptions .InvalidValue (
706711 "aws version '{}' is not supported in the current build." .format (
707712 env_version
@@ -784,15 +789,12 @@ def retrieve_subject_token(self, request):
784789 request_headers ["x-goog-cloud-target-resource" ] = self ._target_resource
785790
786791 # Serialize AWS signed request.
787- # Keeping inner keys in sorted order makes testing easier for Python
788- # versions <=3.5 as the stringified JSON string would have a predictable
789- # key order.
790792 aws_signed_req = {}
791793 aws_signed_req ["url" ] = request_options .get ("url" )
792794 aws_signed_req ["method" ] = request_options .get ("method" )
793795 aws_signed_req ["headers" ] = []
794796 # Reformat header to GCP STS expected format.
795- for key in sorted ( request_headers .keys () ):
797+ for key in request_headers .keys ():
796798 aws_signed_req ["headers" ].append (
797799 {"key" : key , "value" : request_headers [key ]}
798800 )
0 commit comments