Skip to content

Commit

Permalink
Increase precedence of web identity creds
Browse files Browse the repository at this point in the history
  • Loading branch information
@omus
omus committed May 11, 2023
1 parent 2d53308 commit 996821f
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 8 deletions.
12 changes: 6 additions & 6 deletions src/AWSCredentials.jl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,11 @@ and is as follows:
1. Credentials or a profile passed directly to the `AWSCredentials`
2. [Environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)
3. [AWS Single Sign-On (SSO)](http://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) provided via the AWS configuration file
4. [AWS credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) (e.g. "~/.aws/credentials")
5. [External process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) set via `credential_process` in the AWS configuration file
6. [AWS configuration file](http://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html) set via `aws_access_key_id` in the AWS configuration file
7. Assume Role provider via the aws config file
3. [Web Identity](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc)
4. [AWS Single Sign-On (SSO)](http://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) provided via the AWS configuration file
5. [AWS credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) (e.g. "~/.aws/credentials")
6. [External process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) set via `credential_process` in the AWS configuration file
7. [AWS configuration file](http://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html) set via `aws_access_key_id` in the AWS configuration file
8. [Amazon EC2 instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
9. [Amazon ECS container credentials](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)
Expand Down Expand Up @@ -123,10 +123,10 @@ function AWSCredentials(; profile=nothing, throw_cred_error=true)
# EC2 credentials when the `AWS_CONTAINER_*` environmental variables are set.
functions = [
() -> env_var_credentials(explicit_profile),
credentials_from_webtoken,
() -> sso_credentials(profile),
() -> dot_aws_credentials(profile),
() -> dot_aws_config(profile),
credentials_from_webtoken,
ecs_instance_credentials,
() -> ec2_instance_credentials(profile),
]
Expand Down
39 changes: 37 additions & 2 deletions test/AWSCredentials.jl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,41 @@ end
end
end

@testset "Web identity preferred over SSO" begin
write(
config_file,
"""
[default]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_role_name = role1
""",
)
isfile(creds_file) && rm(creds_file)

web_identity_file = joinpath(dir, "web_identity")
write(web_identity_file, "webid")

patches = [
Patches._assume_role_patch(
"AssumeRoleWithWebIdentity";
access_key="AKI_WEB",
secret_key="SAK_WEB",
session_token="TOK_WEB",
),
Patches.sso_service_patches("AKI_SSO", "SAK_SSO"),
]

withenv(
"AWS_WEB_IDENTITY_TOKEN_FILE" => web_identity_file,
"AWS_ROLE_ARN" => "webid",
) do
apply(patches) do
creds = AWSCredentials()
@test creds.access_key_id == "AKI_WEB"
end
end
end

@testset "SSO preferred over credentials file" begin
write(
config_file,
Expand All @@ -541,9 +576,9 @@ end
)
write(creds_file, basic_creds_content)

apply(Patches.sso_service_patches("AKI0", "SAK0")) do
apply(Patches.sso_service_patches("AKI_SSO", "SAK_SSO")) do
creds = AWSCredentials(; profile="profile1")
@test creds.access_key_id == "AKI0"
@test creds.access_key_id == "AKI_SSO"
end
end

Expand Down

0 comments on commit 996821f

Please sign in to comment.