Added a set of AWS credential providers.#7281
Added a set of AWS credential providers.#7281mattklein123 merged 3 commits intoenvoyproxy:masterfrom ivitjuk:aws_sigv4_credential_providers
Conversation
- EnvironmentCredentialsProvider fetches credentials from the environment - InstanceProfileCredentialsProvider fetches credentials from the instance metadata - TaskRoleCredentialsProvider fetches credentials from the ECS task metadata Also added DefaultCredentialsProviderChain which is able to pick the correct credential provider according to the execution environment it is running in. Signed-off-by: Ivan Vitjuk <ivanvit@amazon.com>
|
Hi, this was opened almost a week ago, can we get the feedback? |
source/extensions/filters/http/common/aws/credentials_provider.h
Outdated
Show resolved
Hide resolved
source/extensions/filters/http/common/aws/credentials_provider_impl.cc
Outdated
Show resolved
Hide resolved
source/extensions/filters/http/common/aws/credentials_provider_impl.cc
Outdated
Show resolved
Hide resolved
source/extensions/filters/http/common/aws/credentials_provider_impl.h
Outdated
Show resolved
Hide resolved
- Replaced fromCString() and fromString() with a single Credential constructor accepting absl::string_view - Use constexpr for string constants - Pass std::string to credential constructors instead of absl::optional Signed-off-by: Ivan Vitjuk <ivanvit@amazon.com>
|
/retest |
|
🔨 rebuilding |
|
As far as I can see failing test is |
|
/retest |
|
🔨 rebuilding |
|
@ivitjuk thanks. Let me check... |
|
/wait-any |
dio
left a comment
dio
left a comment
There was a problem hiding this comment.
Looks good. We need some clarifications and one coverage test. Thank you!
| Credentials(absl::string_view access_key_id = absl::string_view(), | ||
| absl::string_view secret_access_key = absl::string_view(), | ||
| absl::string_view session_token = absl::string_view()) { | ||
| if (!access_key_id.empty()) { |
There was a problem hiding this comment.
Does this mean we always need access_key_id? and we require either secret_access_key or session_token to be there? This if statements seem not necessary. What is the implication if we don't have (or empty) access_key_id?
There was a problem hiding this comment.
Credentials can be one of:
- Empty
- Have access key only
- Have access key and secret key
- Have access key, secret key and session token
Implication of an empty access key is that request will be made with anonymous identity. For example requests can be made to S3 with anonymous identity if bucket is configured in that way. Non-production environments can also accept anonymous requests.
| * If a credential component was not found in the execution environment, it's getter method will | ||
| * return absl::nullopt. Credential components with the empty string value are treated as not found. | ||
| */ | ||
| class Credentials { |
There was a problem hiding this comment.
I felt like this should be a struct but not feeling strongly about it.
There was a problem hiding this comment.
Interface of this type is not public by default. Data members specifically are not public and can not be changed once set by the constructor. In that sense it feels more like a type (class) than a collection of data (struct).
| absl::string_view session_token) | ||
| : access_key_id_(access_key_id), secret_access_key_(secret_access_key), | ||
| session_token_(session_token) {} | ||
| Credentials(absl::string_view access_key_id = absl::string_view(), |
There was a problem hiding this comment.
Defaulting to absl::string_view() seems unnecessary? For convenience you always have the default constructor Credentials()?
There was a problem hiding this comment.
As I already have this constructor, I wouldn't get the default one unless I request it with Credentials() = default. To me it looks simpler to have a single constructor, because relying on the default one would not lead to code reduction.
| cached_credentials_ = Credentials(access_key_id, secret_access_key, session_token); | ||
| } | ||
|
|
||
| Credentials CredentialsProviderChain::getCredentials() { |
There was a problem hiding this comment.
Can we have coverage for this function? https://239673-65214191-gh.circle-artifacts.com/0/coverage/coverage.source_extensions_filters_http_common_aws_credentials_provider_impl.cc.html
There was a problem hiding this comment.
Thanks to catching that. Added tests.
Signed-off-by: Ivan Vitjuk <ivanvit@amazon.com>
|
/wait-any |
3 participants
Description:
Added a set of AWS credential providers.
Also added DefaultCredentialsProviderChain which is able to pick the
correct credential provider according to the execution environment it is
running in.
Signed-off-by: Ivan Vitjuk ivanvit@amazon.com
Risk Level: Low
Testing: Unit tests added
Docs Changes: Interface classes documented.
Release Notes: N/A
Fixes (partial): #5215