fixes sts creds provider env var resolution

Author: sbiscigl

src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h

@@ -10,6 +10,7 @@
 #include <aws/core/http/Version.h>
 #include <aws/core/Region.h>
 #include <aws/core/utils/memory/stl/AWSString.h>
+#include <aws/core/utils/StringUtils.h>
 #include <aws/core/http/HttpTypes.h>
 #include <aws/core/utils/Array.h>
 #include <aws/crt/Optional.h>
@@ -447,7 +448,18 @@ namespace Aws
             static Aws::String LoadConfigFromEnvOrProfile(const Aws::String& envKey, const Aws::String& profile,
                                                           const Aws::String& profileProperty, const Aws::Vector<Aws::String>& allowedValues,
                                                           const Aws::String& defaultValue);
-
+            /**
+             * A helper function to read config value from env variable or aws profile config. Addresses a problem in
+             * LoadConfigFromEnvOrProfile where env variables values are always mapped to their lower case equivalent.
+             * This fails for cases where ENV vars need to be case sensitive in instances like AWS_ROLE_ARN can have
+             * camel case values.
+             */
+            static Aws::String LoadConfigFromEnvOrProfileCaseSensitive(const Aws::String& envKey,
+                                                          const Aws::String& profile,
+                                                          const Aws::String& profileProperty,
+                                                          const Aws::Vector<Aws::String>& allowedValues,
+                                                          const Aws::String& defaultValue,
+                                                          const std::function<Aws::String(const char*)>& envValueMapping = Utils::StringUtils::ToLower);
             /**
              * A wrapper for interfacing with telemetry functionality. Defaults to Noop provider.
              * Provide TelemetryProvider here or via a factory method.

src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp

@@ -45,9 +45,11 @@ static const char* AWS_METADATA_SERVICE_TIMEOUT_ENV_VAR = "AWS_METADATA_SERVICE_
 static const char* AWS_METADATA_SERVICE_TIMEOUT_CONFIG_VAR = "metadata_service_timeout";
 static const char* AWS_METADATA_SERVICE_NUM_ATTEMPTS_ENV_VAR = "AWS_METADATA_SERVICE_NUM_ATTEMPTS";
 static const char* AWS_METADATA_SERVICE_NUM_ATTEMPTS_CONFIG_VAR = "metadata_service_num_attempts";
-static const char* AWS_IAM_ROLE_ARN_ENV_VAR = "AWS_IAM_ROLE_ARN";
+static const char* AWS_IAM_ROLE_ARN_ENV_VAR = "AWS_ROLE_ARN";
+static const char* AWS_IAM_ROLE_ARN_ENV_VAR_COMPAT = "AWS_IAM_ROLE_ARN";
 static const char* AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION = "role_arn";
-static const char* AWS_IAM_ROLE_SESSION_NAME_ENV_VAR = "AWS_IAM_ROLE_SESSION_NAME";
+static const char* AWS_IAM_ROLE_SESSION_NAME_ENV_VAR = "AWS_ROLE_SESSION_NAME";
+static const char* AWS_IAM_ROLE_SESSION_NAME_ENV_VAR_COMPAT = "AWS_IAM_ROLE_SESSION_NAME";
 static const char* AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION = "role_session_name";
 static const char* AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR = "AWS_WEB_IDENTITY_TOKEN_FILE";
 static const char* AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION = "web_identity_token_file";
@@ -327,23 +329,45 @@ void setConfigFromEnvOrProfile(ClientConfiguration &config)
     // Uses default retry mode with the specified max attempts from metadata_service_num_attempts
     config.credentialProviderConfig.imdsConfig.imdsRetryStrategy = InitRetryStrategy(attempts, "");
 
-    config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_IAM_ROLE_ARN_ENV_VAR,
+    config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(AWS_IAM_ROLE_ARN_ENV_VAR,
           config.profileName,
           AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION,
           {}, /* allowed values */
-          "" /* default value */);
+          "" /* default value */,
+          [](const Aws::String& envValue) -> Aws::String { return envValue; });
 
-      config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_IAM_ROLE_SESSION_NAME_ENV_VAR,
+    // there was a typo in the original environment variable, this exists for backwards compatibility
+    if (config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn.empty()) {
+      config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(AWS_IAM_ROLE_ARN_ENV_VAR_COMPAT,
           config.profileName,
-          AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION,
+          AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION,
           {}, /* allowed values */
-          "" /* default value */);
+          "" /* default value */,
+          [](const Aws::String& envValue) -> Aws::String { return envValue; });
+    }
 
-      config.credentialProviderConfig.stsCredentialsProviderConfig.tokenFilePath = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR,
-          config.profileName,
-          AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION,
-          {}, /* allowed values */
-          "" /* default value */);
+    config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName = ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(AWS_IAM_ROLE_SESSION_NAME_ENV_VAR,
+        config.profileName,
+        AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION,
+        {}, /* allowed values */
+        "" /* default value */,
+        [](const Aws::String& envValue) -> Aws::String { return envValue; });
+
+    // there was a typo in the original environment variable, this exists for backwards compatibility
+    if (config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName.empty()) {
+      config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName = ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(AWS_IAM_ROLE_SESSION_NAME_ENV_VAR_COMPAT,
+        config.profileName,
+        AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION,
+        {}, /* allowed values */
+        "" /* default value */,
+          [](const Aws::String& envValue) -> Aws::String { return envValue; });
+    }
+
+    config.credentialProviderConfig.stsCredentialsProviderConfig.tokenFilePath = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR,
+        config.profileName,
+        AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION,
+        {}, /* allowed values */
+        "" /* default value */);
 }
 
 ClientConfiguration::ClientConfiguration()
@@ -558,29 +582,36 @@ Aws::String ClientConfiguration::LoadConfigFromEnvOrProfile(const Aws::String& e
                                                             const Aws::Vector<Aws::String>& allowedValues,
                                                             const Aws::String& defaultValue)
 {
-    Aws::String option = Aws::Environment::GetEnv(envKey.c_str());
-    if (option.empty()) {
-        option = Aws::Config::GetCachedConfigValue(profile, profileProperty);
-    }
-    option = Aws::Utils::StringUtils::ToLower(option.c_str());
-    if (option.empty()) {
-        return defaultValue;
-    }
-
-    if (!allowedValues.empty() && std::find(allowedValues.cbegin(), allowedValues.cend(), option) == allowedValues.cend()) {
-        Aws::OStringStream expectedStr;
-        expectedStr << "[";
-        for(const auto& allowed : allowedValues) {
-            expectedStr << allowed << ";";
-        }
-        expectedStr << "]";
+    return LoadConfigFromEnvOrProfileCaseSensitive(envKey, profile, profileProperty, allowedValues, defaultValue);
+}
+Aws::String ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(const Aws::String& envKey, const Aws::String& profile,
+                                                                         const Aws::String& profileProperty,
+                                                                         const Aws::Vector<Aws::String>& allowedValues,
+                                                                         const Aws::String& defaultValue,
+                                                                         const std::function<Aws::String(const char*)>& envValueMapping) {
+  Aws::String option = Aws::Environment::GetEnv(envKey.c_str());
+  if (option.empty()) {
+    option = Aws::Config::GetCachedConfigValue(profile, profileProperty);
+  }
+  option = envValueMapping(option.c_str());
+  if (option.empty()) {
+    return defaultValue;
+  }
 
-        AWS_LOGSTREAM_WARN(CLIENT_CONFIG_TAG, "Unrecognised value for " << envKey << ": " << option <<
-                                              ". Using default instead: " << defaultValue <<
-                                              ". Expected empty or one of: " << expectedStr.str());
-        option = defaultValue;
+  if (!allowedValues.empty() && std::find(allowedValues.cbegin(), allowedValues.cend(), option) == allowedValues.cend()) {
+    Aws::OStringStream expectedStr;
+    expectedStr << "[";
+    for(const auto& allowed : allowedValues) {
+      expectedStr << allowed << ";";
     }
-    return option;
+    expectedStr << "]";
+
+    AWS_LOGSTREAM_WARN(CLIENT_CONFIG_TAG, "Unrecognised value for " << envKey << ": " << option <<
+                                          ". Using default instead: " << defaultValue <<
+                                          ". Expected empty or one of: " << expectedStr.str());
+    option = defaultValue;
+  }
+  return option;
 }
 
 } // namespace Client

tests/aws-cpp-sdk-core-integration-tests/STSWebIdentityProviderIntegrationTest.cpp

@@ -6,20 +6,22 @@
 #include <aws/cognito-identity/model/SetIdentityPoolRolesRequest.h>
 #include <aws/core/Aws.h>
 #include <aws/core/auth/STSCredentialsProvider.h>
-#include <aws/core/utils/FileSystemUtils.h>
 #include <aws/core/platform/Environment.h>
+#include <aws/core/utils/FileSystemUtils.h>
 #include <aws/iam/IAMClient.h>
 #include <aws/iam/model/CreateRoleRequest.h>
 #include <aws/iam/model/DeleteRolePolicyRequest.h>
 #include <aws/iam/model/DeleteRoleRequest.h>
 #include <aws/iam/model/PutRolePolicyRequest.h>
 #include <aws/sts/STSClient.h>
 #include <aws/sts/model/AssumeRoleRequest.h>
+#include <aws/testing/platform/PlatformTesting.h>
 #include <aws/testing/AwsTestHelpers.h>
 #include <gtest/gtest.h>
 
 using namespace Aws;
 using namespace Aws::Client;
+using namespace Aws::Environment;
 using namespace Aws::Auth;
 using namespace Aws::Utils;
 using namespace Aws::IAM;
@@ -170,3 +172,49 @@ TEST_F(STSWebIdentityProviderIntegrationTest, ShouldWork) {
   } while (credentials.IsEmpty() && attempts < MAX_IAM_CONSISTENCY_RETRIES);
   EXPECT_FALSE(credentials.IsEmpty());
 }
+
+TEST_F(STSWebIdentityProviderIntegrationTest, ShouldWorkWithEnvVar) {
+  CognitoIdentitySetup testResourcesRAII{UUID::RandomUUID()};
+  const EnvironmentRAII environment_raii{{
+      {"AWS_ROLE_ARN", testResourcesRAII.GetRoleArn()},
+      {"AWS_ROLE_SESSION_NAME", UUID::RandomUUID()},
+      {"AWS_WEB_IDENTITY_TOKEN_FILE", testResourcesRAII.GetTokenFileName()}
+    }};
+  const ClientConfiguration config{};
+  STSAssumeRoleWebIdentityCredentialsProvider provider{config.credentialProviderConfig};
+  AWSCredentials credentials{};
+  size_t attempts = 0;
+  bool shouldSleep = false;
+  do {
+    if (shouldSleep) {
+      std::this_thread::sleep_for(IAM_CONSISTENCY_SLEEP);
+    }
+    credentials = provider.GetAWSCredentials();
+    shouldSleep = true;
+    attempts++;
+  } while (credentials.IsEmpty() && attempts < MAX_IAM_CONSISTENCY_RETRIES);
+  EXPECT_FALSE(credentials.IsEmpty());
+}
+
+TEST_F(STSWebIdentityProviderIntegrationTest, ShouldWorkWithEnvVarBackwardsCompat) {
+  CognitoIdentitySetup testResourcesRAII{UUID::RandomUUID()};
+  const EnvironmentRAII environment_raii{{
+    {"AWS_IAM_ROLE_ARN", testResourcesRAII.GetRoleArn()},
+    {"AWS_IAM_ROLE_SESSION_NAME", UUID::RandomUUID()},
+    {"AWS_WEB_IDENTITY_TOKEN_FILE", testResourcesRAII.GetTokenFileName()}
+  }};
+  const ClientConfiguration config{};
+  STSAssumeRoleWebIdentityCredentialsProvider provider{config.credentialProviderConfig};
+  AWSCredentials credentials{};
+  size_t attempts = 0;
+  bool shouldSleep = false;
+  do {
+    if (shouldSleep) {
+      std::this_thread::sleep_for(IAM_CONSISTENCY_SLEEP);
+    }
+    credentials = provider.GetAWSCredentials();
+    shouldSleep = true;
+    attempts++;
+  } while (credentials.IsEmpty() && attempts < MAX_IAM_CONSISTENCY_RETRIES);
+  EXPECT_FALSE(credentials.IsEmpty());
+}