aws: STS WebIdentity credentials provider#31004
aws: STS WebIdentity credentials provider#31004mattklein123 merged 14 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
|
Looks like can't enable SSL on curl without failing windows build for reasons mentioned in Lines 260 to 262 in 2de016d So no option but to remove the code path that would enable WebIdentity credentials provider for deprecated curl path. |
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
… disabled at first Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
* Fix STS json response credentials expiration format which is integer and not string * Sanitize the path before logging, which might contain sensitive info * Properly log cluster type * Fix garbage value in uri when adding new cluster Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
|
Has merge conflicts with #31135. Once the other change is merged I will update this change and will be good for review. |
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
|
@soulxu can you please help identify someone for a first pass review? |
|
@suniltheta is there someone else from AWS that can review for correctness or has it already been reviewed? I can skim after that. Thanks. /wait-any |
|
Thanks Matt for your help. This change was from an internal patch that was maintained for 4 years pending contribution to upstream Envoy until the deprecation of libcurl. I have manually tested that this change works for AWS Request Signing http filter extension to fetch the credentials properly from AWS STS. Let me quickly try to find if anyone from internal AWS cpp sdk interest slack channel can help with giving some feedback. And get back here to check with you again. |
|
If it's already being used that is fine. I can give it a quick skim. |
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
LGTM with a question, thanks.
/wait-any
|
Thank you for supporting this! |
5 participants
Co-authored-by: Scott LaVigne lavignes@amazon.com
Commit Message: aws: STS WebIdentity credentials provider
Additional Description: Envoy support for k8s IAM Roles for Service Accounts aws/aws-app-mesh-roadmap#182. This is an AWS internal patch that is upstreamed after updating it to adopt to use http async client way of fetching metadata credentials.
Note: This change enables SSL on curl dependency which is on deprecation path #30731. The SSL on curl is required to establish https connection with STS service.Risk Level: Low
Testing: Unit testing
Docs Changes: Yes
Release Notes: Yes
Platform Specific Features: NA