When resolving EcsContainer as source in the ini provider, include also fromHttp next to fromContainerMetadata.
When resolving credentials in ini-provider using an assume role "source_profile", do not require the source_profile to declare a role_arn. The role_arn should be declared by the origin profile.
improve logging information for the credential chain process
CredentialsProviderError: 169.254.170.23 is not a valid container metadata service hostname this is the superficial error, which makes it look like we need to add more hosts to the hardcoded allowlist within packages/credential-provider-imds/src/fromContainerMetadata.ts
however, this is misleading, since the default credential provider chain in AWS SDKs for Node.js has many steps, and only reports the final terminal exception. There are actually many thrown & caught exceptions along the way as each credential provider within the chain is attempted.
the @aws-sdk/credential-provider-ini pkg, which is part of the default chain and is responsible for file-configured assumeRole credential resolution, does not route to the newer fromHttp provider, only the older fromContainerMetadata provider. The fix PR will add this.
the same package, when merging a source_profile, expects the source_profile to also have a role_arn. This is a separate bug, and I believe this isn't consistent with our docs at https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html. It is not the source profile that should have a role_arn, it is the root profile.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.
Issue
investigating https://github.com/smithy-lang/smithy-typescript/pull/1288
this PR requires that https://github.com/smithy-lang/smithy-typescript/pull/1290 be published. It is using new APIs from that PR.
Description
Fixes:
role_arn
. Therole_arn
should be declared by the origin profile.Explanation from smithy-ts#1288:
CredentialsProviderError: 169.254.170.23 is not a valid container metadata service hostname
this is the superficial error, which makes it look like we need to add more hosts to the hardcoded allowlist within packages/credential-provider-imds/src/fromContainerMetadata.tsthe real root cause has two parts
@aws-sdk/credential-provider-ini
pkg, which is part of the default chain and is responsible for file-configured assumeRole credential resolution, does not route to the newerfromHttp
provider, only the olderfromContainerMetadata
provider. The fix PR will add this.source_profile
, expects thesource_profile
to also have arole_arn
. This is a separate bug, and I believe this isn't consistent with our docs at https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html. It is not the source profile that should have arole_arn
, it is the root profile.Testing