Endpoint URL Not Respected By AssumeRoleProvider
tustvold opened this issue · 3 comments
Describe the bug
The AssumeRoleProvider created as part of loading credentials from a profile does not appear to respect the endpoint URL overrides, and continues to talk to sts.amazonaws.com
Expected Behavior
It should talk to the configured endpoint URL
Current Behavior
It talks to the default STS endpoint
Reproduction Steps
Create a file at /tmp/aws-config with the following content
[profile default]
aws_access_key_id = test
aws_secret_access_key = test
[profile messaging]
role_arn = arn:aws:iam::000000000000:role/messaging
role_session_name = messaging
source_profile = default
Then create a new Rust project with
Cargo.toml
[package]
name = "temp"
version = "0.1.0"
edition = "2021"
[dependencies]
aws-config = "1.5.6"
aws-credential-types = "1.2"
tokio = { version = "1.0", features = ["full"] }
src/main.rs
use aws_credential_types::provider::ProvideCredentials;
#[tokio::main]
async fn main() {
let aws_config = aws_config::defaults(aws_config::BehaviorVersion::latest()).load().await;
aws_config.credentials_provider().unwrap().provide_credentials().await.unwrap();
}
Run it with
export AWS_ENDPOINT_URL=http://127.0.0.1:4566
export AWS_CONFIG_FILE=/tmp/aws-config
export AWS_PROFILE=messaging
cargo run
Get the following error
called `Result::unwrap()` on an `Err` value: ProviderError(ProviderError { source: ProviderError(ProviderError { source: ServiceError(ServiceError { source: Unhandled(Unhandled { source: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) }, meta: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) } }), raw: Response { status: StatusCode(403), headers: Headers { headers: {"x-amzn-requestid": HeaderValue { _private: H0("64665aaf-2926-429c-999d-6f22f439d5e3") }, "content-type": HeaderValue { _private: H0("text/xml") }, "content-length": HeaderValue { _private: H0("306") }, "date": HeaderValue { _private: H0("Thu, 19 Sep 2024 16:19:07 GMT") }} }, body: SdkBody { inner: Once(Some(b"<ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n <Error>\n <Type>Sender</Type>\n <Code>InvalidClientTokenId</Code>\n <Message>The security token included in the request is invalid.</Message>\n </Error>\n <RequestId>64665aaf-2926-429c-999d-6f22f439d5e3</RequestId>\n</ErrorResponse>\n")), retryable: true }, extensions: Extensions { extensions_02x: Extensions, extensions_1x: Extensions } } }) }) })
Crucially this does not require localstack to be running, as it completely ignores the configured endpoint URL
Possible Solution
No response
Additional Information/Context
#921 is related, but it would appear smithy-lang/smithy-rs#3014 was only a partial fix
Version
aws-config = 1.5.6
aws-credential-types = 1.2.1
Environment details (OS name and version, etc.)
x86_64 GNU/Linux
Logs
No response
Thanks for the short repro example, I've been able to reproduce this, looking into it.
Fix for this should be available from Oct 25 2024 release and after.
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.