Extract aws region from the URL

Signed-off-by: Taras <9948629+taraspos@users.noreply.github.com>

Author: taraspos

auth/aws/provider.go

@@ -22,6 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"regexp"
 	"strings"
@@ -410,29 +411,36 @@ func (signerHeaderHostOnly) IsSigned(h string) bool {
 	return h == "host"
 }
 
-// NewCodeCommitGitToken returns HTTPS Git credentials for AWS CodeCommit.
-func (Provider) NewCodeCommitGitCredentials(_ context.Context, accessTokens []auth.Token, opts ...auth.Option) (string, string, error) {
-	var o auth.Options
-	o.Apply(opts...)
-
-	gitURL := o.GitURL
+// GetRegionFromCodeCommitURL extracts the AWS region from a CodeCommit HTTPS
+// git URL (e.g. https://git-codecommit.us-east-1.amazonaws.com/...).
+// Returns an error if the URL is nil, not HTTPS, or not a valid CodeCommit URL.
+// https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git
+func GetRegionFromCodeCommitURL(gitURL *url.URL) (string, error) {
 	if gitURL == nil {
-		return "", "", fmt.Errorf("Git URL must be specified for AWS CodeCommit authentication")
+		return "", fmt.Errorf("Git URL must be specified for AWS CodeCommit authentication")
 	}
 	if !strings.EqualFold(gitURL.Scheme, "https") {
-		return "", "", fmt.Errorf("AWS CodeCommit authentication requires an HTTPS Git URL")
+		return "", fmt.Errorf("AWS CodeCommit authentication requires an HTTPS Git URL")
 	}
-
 	urlSplit := strings.Split(gitURL.Hostname(), ".")
-
-	// https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git
 	if len(urlSplit) < 4 ||
 		!(strings.HasPrefix(gitURL.Hostname(), "git-codecommit.") || strings.HasPrefix(gitURL.Hostname(), "git-codecommit-fips.")) ||
 		!(strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com") || strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com.cn")) {
-		return "", "", fmt.Errorf("invalid AWS CodeCommit Git URL: %s", gitURL.Host)
+		return "", fmt.Errorf("invalid AWS CodeCommit Git URL: %s", gitURL.Host)
 	}
+	return urlSplit[1], nil
+}
 
-	region := urlSplit[1]
+// NewCodeCommitGitToken returns HTTPS Git credentials for AWS CodeCommit.
+func (Provider) NewCodeCommitGitCredentials(_ context.Context, accessTokens []auth.Token, opts ...auth.Option) (string, string, error) {
+	var o auth.Options
+	o.Apply(opts...)
+
+	gitURL := o.GitURL
+	region, err := GetRegionFromCodeCommitURL(gitURL)
+	if err != nil {
+		return "", "", err
+	}
 	if len(accessTokens) == 0 {
 		return "", "", fmt.Errorf("AWS access token is required for region %q", region)
 	}

auth/aws/provider_test.go

@@ -83,7 +83,7 @@ func TestProvider_NewControllerToken(t *testing.T) {
 			}
 
 			provider := aws.Provider{Implementation: impl}
-			token, err := provider.NewControllerToken(context.Background(), opts...)
+			token, err := provider.NewControllerToken(t.Context(), opts...)
 
 			if tt.err == "" {
 				g.Expect(err).NotTo(HaveOccurred())
@@ -538,6 +538,63 @@ func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) {
 	g.Expect(o.STSRegion).To(Equal("us-west-2"))
 }
 
+func TestGetRegionFromCodeCommitURL(t *testing.T) {
+	for _, tt := range []struct {
+		name           string
+		gitURL         string
+		expectedRegion string
+		err            string
+	}{
+		{
+			name:           "valid CodeCommit URL",
+			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			expectedRegion: "us-east-1",
+		},
+		{
+			name:           "valid CodeCommit FIPS URL",
+			gitURL:         "https://git-codecommit-fips.us-west-2.amazonaws.com/v1/repos/test-repo",
+			expectedRegion: "us-west-2",
+		},
+		{
+			name:           "valid CodeCommit China URL",
+			gitURL:         "https://git-codecommit.cn-north-1.amazonaws.com.cn/v1/repos/test-repo",
+			expectedRegion: "cn-north-1",
+		},
+		{
+			name: "nil URL",
+			err:  "Git URL must be specified for AWS CodeCommit authentication",
+		},
+		{
+			name:   "non-HTTPS URL",
+			gitURL: "http://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			err:    "AWS CodeCommit authentication requires an HTTPS Git URL",
+		},
+		{
+			name:   "invalid CodeCommit URL",
+			gitURL: "https://github.com/org/repo",
+			err:    "invalid AWS CodeCommit Git URL: github.com",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			var parsedURL *url.URL
+			if tt.gitURL != "" {
+				var err error
+				parsedURL, err = url.Parse(tt.gitURL)
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+			region, err := aws.GetRegionFromCodeCommitURL(parsedURL)
+			if tt.err != "" {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(region).To(Equal(tt.expectedRegion))
+			}
+		})
+	}
+}
+
 func TestProvider_NewCodeCommitGitCredentials(t *testing.T) {
 	invalidToken := &generic.Token{Token: "invalid", ExpiresAt: time.Now().Add(time.Hour)}
 	proxyUrl := url.URL{Scheme: "http", Host: "proxy.example.com"}

auth/utils/git.go

@@ -50,6 +50,18 @@ func GetGitCredentials(ctx context.Context, providerName string, opts ...auth.Op
 	case aws.ProviderName:
 		provider := aws.Provider{}
 		awsOpts := slices.Clone(opts)
+
+		// Extract the region from the CodeCommit URL and inject it as STSRegion
+		// before calling GetAccessToken. This will ensure that it's possible to call AWS SDK
+		// even without AWS_REGION environment variable.
+		var o auth.Options
+		o.Apply(awsOpts...)
+		if o.STSRegion == "" && o.GitURL != nil {
+			if region, err := aws.GetRegionFromCodeCommitURL(o.GitURL); err == nil {
+				awsOpts = append(awsOpts, auth.WithSTSRegion(region))
+			}
+		}
+
 		token, err := auth.GetAccessToken(ctx, provider, awsOpts...)
 		if err != nil {
 			return nil, err

auth/utils/git_test.go

@@ -60,4 +60,21 @@ func TestGetGitCredentials(t *testing.T) {
 		g.Expect(err.Error()).To(ContainSubstring("failed to create provider access token"))
 		g.Expect(p).To(BeNil())
 	})
+
+	t.Run("aws/region extracted from URL", func(t *testing.T) {
+		// When no STSRegion is provided but a CodeCommit git URL is given, the
+		// region should be extracted automatically so that object-level workload
+		// identity (NewTokenForServiceAccount) receives a non-empty STSRegion.
+		g := NewWithT(t)
+		region := "eu-west-1"
+		u, err := url.Parse(fmt.Sprintf("https://git-codecommit.%s.amazonaws.com/v1/repos/repo-name", region))
+		g.Expect(err).ToNot(HaveOccurred())
+		// No AWS_REGION env var set and no WithSTSRegion option – the region must
+		// be derived from the URL. The call still fails (no real AWS credentials)
+		opts := []auth.Option{auth.WithGitURL(*u)}
+		p, err := authutils.GetGitCredentials(context.Background(), "aws", opts...)
+		g.Expect(err).To(HaveOccurred())
+		g.Expect(err.Error()).NotTo(ContainSubstring("an AWS region is required"))
+		g.Expect(p).To(BeNil())
+	})
 }