Use regional STS endpoints for IAM join method#15337
Merged
Conversation
github-actions
Bot
requested review from
gabrielcorado,
ptgott,
r0mant,
sagesyr,
xinding33 and
zmb3
nklaassen
force-pushed
the
nklaassen/regional-sts
branch
from
26e8c22 to
62db6bb
Compare
ptgott
approved these changes
Aug 9, 2022
Contributor
Author
|
friendly ping if you guys can review when you get a chance @gabrielcorado and @zmb3 it looks like the bot chose you for code review as well as docs review |
zmb3
reviewed
Aug 12, 2022
| if trace.IsNotFound(err) { | ||
| // Unfortunately we could not find the region from the IMDS, go with | ||
| // the default global endpoint and hope it works. | ||
| log.Info("Unable to find the local AWS region from the environment or IMDSv2. " + |
Collaborator
There was a problem hiding this comment.
This is a great message. Informative and actionable. Nicely done.
gabrielcorado
approved these changes
Aug 15, 2022
zmb3
reviewed
Aug 15, 2022
zmb3
approved these changes
Aug 29, 2022
Contributor
|
@nklaassen See the table below for backport results.
|
This was referenced Aug 29, 2022
nklaassen
added a commit
that referenced
this pull request
Aug 29, 2022
This was referenced Sep 2, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #10415
Currently the IAM join method always uses the global STS endpoint
sts.amazonaws.comas the target forsts:GetCallerIdentityrequests. These requests are generated and signed on the Node which is joining the cluster, and the Auth server sends them to the actual endpoint to get the response and verify the identity of the Node.The problem with always using the "global" endpoint, is that it knows nothing about IAM identities in China or GovCloud AWS partitions. Those will need to use the regional endpoint, such as
sts.cn-northwest-1.amazonaws.com.cn. There are regional endpoints in the default partition as well, we just haven't been using those.With this change, the joining Node will attempt to find its local region from its environment or the EC2 IMDS, and generate the signed
sts:GetCallerIdentityrequest for that regional endpoint.The Auth server must now send the request to the regional endpoint selected by the client. We need to be very careful that the client cannot trick us into using an attacker-controlled endpoint to attempt to verify the client's identity. To do this, we make sure that the given endpoint is a known valid public STS endpoint we will maintain as a static list.
Backward Compatibility
The Auth server will always accept join request from Nodes on older versions which use the global STS endpoint, it is still supported.
Upgraded Nodes connecting to an older Auth server (if we release this in a minor, likely 10.2) will still work: they will fall back to using the global endpoint if there is any error trying to use the regional endpoint, which they would hit if the Auth server is on a version which does not yet support regional endpoints.