search

awslabs / aws-sdk-rust

AWS SDK for the Rust Programming Language
https://awslabs.github.io/aws-sdk-rust/
Apache License 2.0
2.98k stars 245 forks source link

Endpoint URL Not Respected By AssumeRoleProvider #1193

Open tustvold opened 2 days ago

tustvold commented 2 days ago

Describe the bug

The AssumeRoleProvider created as part of loading credentials from a profile does not appear to respect the endpoint URL overrides, and continues to talk to sts.amazonaws.com

Expected Behavior

It should talk to the configured endpoint URL

Current Behavior

It talks to the default STS endpoint

Reproduction Steps

Create a file at /tmp/aws-config with the following content

[profile default]
aws_access_key_id = test
aws_secret_access_key = test

[profile messaging]
role_arn = arn:aws:iam::000000000000:role/messaging
role_session_name = messaging
source_profile = default

Then create a new Rust project with

Cargo.toml

[package]
name = "temp"
version = "0.1.0"
edition = "2021"

[dependencies]
aws-config = "1.5.6"
aws-credential-types = "1.2"
tokio = { version = "1.0", features = ["full"] }

src/main.rs

use aws_credential_types::provider::ProvideCredentials;

#[tokio::main]
async fn main() {
    let aws_config = aws_config::defaults(aws_config::BehaviorVersion::latest()).load().await;
    aws_config.credentials_provider().unwrap().provide_credentials().await.unwrap();
}

Run it with

export AWS_ENDPOINT_URL=http://127.0.0.1:4566
export AWS_CONFIG_FILE=/tmp/aws-config
export AWS_PROFILE=messaging
cargo run

Get the following error

called `Result::unwrap()` on an `Err` value: ProviderError(ProviderError { source: ProviderError(ProviderError { source: ServiceError(ServiceError { source: Unhandled(Unhandled { source: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) }, meta: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) } }), raw: Response { status: StatusCode(403), headers: Headers { headers: {"x-amzn-requestid": HeaderValue { _private: H0("64665aaf-2926-429c-999d-6f22f439d5e3") }, "content-type": HeaderValue { _private: H0("text/xml") }, "content-length": HeaderValue { _private: H0("306") }, "date": HeaderValue { _private: H0("Thu, 19 Sep 2024 16:19:07 GMT") }} }, body: SdkBody { inner: Once(Some(b"<ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <Error>\n    <Type>Sender</Type>\n    <Code>InvalidClientTokenId</Code>\n    <Message>The security token included in the request is invalid.</Message>\n  </Error>\n  <RequestId>64665aaf-2926-429c-999d-6f22f439d5e3</RequestId>\n</ErrorResponse>\n")), retryable: true }, extensions: Extensions { extensions_02x: Extensions, extensions_1x: Extensions } } }) }) })

Crucially this does not require localstack to be running, as it completely ignores the configured endpoint URL

Possible Solution

No response

Additional Information/Context

https://github.com/awslabs/aws-sdk-rust/issues/921 is related, but it would appear https://github.com/smithy-lang/smithy-rs/pull/3014 was only a partial fix

Version

aws-config = 1.5.6
aws-credential-types = 1.2.1

Environment details (OS name and version, etc.)

x86_64 GNU/Linux

Logs

No response

aajtodd commented 2 days ago

Thanks for the short repro example, I've been able to reproduce this, looking into it.