Skip to content

Add external account on ECS support.#324

Open
alu wants to merge 3 commits into
yoshidan:mainfrom
alu:main
Open

Add external account on ECS support.#324
alu wants to merge 3 commits into
yoshidan:mainfrom
alu:main

Conversation

@alu

@alu alu commented Nov 20, 2024

Copy link
Copy Markdown
Contributor

The URL to obtain credential in ECS is different from EC2.
Therefore, support has been added.

https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html

@yoshidan yoshidan added the safe to test safe to test label Nov 24, 2024
@i10416

i10416 commented Nov 27, 2024

Copy link
Copy Markdown

Hello, I accidentally found this PR while exploring the design to implement AWS external account subject token for gcloud-sdk-rs(see abdolence/gcloud-sdk-rs#172), which is another google cloud sdk crate.

I found the official AWS SDK provides the abstraction over credentials lookup mechanism named DefaultCredentialsChain.

It covers

  1. Environment variables: [EnvironmentVariableCredentialsProvider]
  2. Shared config (~/.aws/config, ~/.aws/credentials): SharedConfigCredentialsProvider
  3. Web Identity Tokens
  4. ECS (IAM Roles for Tasks) & General HTTP credentials: ecs
  5. EC2 IMDSv2

Unless maintainers and you intentionally re-invent the wheel to avoid additional dependencies, I recommend using DefaultCredentialsChain in order to reduce maintenance burden and potential bugs.

https://github.com/awslabs/aws-sdk-rust/blob/a970bb68a57b8d44d2737b18897b95eaa49f7dd8/sdk/aws-config/src/default_provider/credentials.rs#L25

@yoshidan

yoshidan commented Nov 28, 2024

Copy link
Copy Markdown
Owner

@i10416
Thank you for your suggestion. I will consider using aws-sdk-rust as I do not wish to reinvent the wheel.

@alu
Thank you for your contribution.
This crate is based on google-cloud-go. The original aws-provider.go in google-cloud-go doesn't have ECS support directly.
https://github.com/googleapis/google-cloud-go/blob/d8bc98307985b6db284e75e85ec5c7af87748c81/auth/credentials/internal/externalaccount/aws_provider.go#L247

Instead of including a specific ECS support implementation (e.g. 169.254.170.2) in this crate,
We would like to receive and execute the SecurityCredentialsProvider trait in the same way as the go implementation.
Then you should be able to use aws-sdk-rust.

@alu

alu commented Dec 2, 2024

Copy link
Copy Markdown
Contributor Author

@yoshidan So what should I do? Is there anything I can do to help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

safe to test safe to test

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants