sicoyle
commented
1 week ago I'm trying to inject mocked creds to make conformance tests pass for some of the aws components, but not too familiar with their setup. Clearly I need to adjust this further bc they're all failing... maybe add an IAM role on the terraform for IAM roles anywhere? or inject mock creds somewhere else? I had to do that for the unit tests for some of them... 🫠 I will come back to this tomorrow morning.
=== RUN TestSecretStoreConformance/aws.secretsmanager.docker/get/get
secretstores.go:84:
Error Trace: /home/runner/work/components-contrib/components-contrib/tests/conformance/secretstores/secretstores.go:84
Error: Received unexpected error:
couldn't get secret: UnrecognizedClientException: The security token included in the request is invalid.
status code: 400, request id: fbf08edb-02d5-47d2-b[60](https://github.com/dapr/components-contrib/actions/runs/11807458135/job/32894166961?pr=3591#step:24:61)a-4dcb432b6e8f
Test: TestSecretStoreConformance/aws.secretsmanager.docker/get/get
Messages: expected no error on getting secret {conftestsecret map[]}
--- FAIL: TestSecretStoreConformance/aws.secretsmanager.docker/get/get (0.06s)
--- FAIL: TestSecretStoreConformance/aws.secretsmanager.docker/get (0.06s)
=== RUN TestSecretStoreConformance/aws.secretsmanager.docker/bulkGet
=== RUN TestSecretStoreConformance/aws.secretsmanager.docker/bulkGet/bulkget
secretstores.go:105:
Error Trace: /home/runner/work/components-contrib/components-contrib/tests/conformance/secretstores/secretstores.go:105
Error: Received unexpected error:
couldn't list secrets: UnrecognizedClientException: The security token included in the request is invalid.
status code: 400, request id: 4[70](https://github.com/dapr/components-contrib/actions/runs/11807458135/job/32894166961?pr=3591#step:24:71)14dae-011e-41ee-8420-d71d91fcb48d
Test: TestSecretStoreConformance/aws.secretsmanager.docker/bulkGet/bulkget
Messages: expected no error on getting secret {map[]}
--- FAIL: TestSecretStoreConformance/aws.secretsmanager.docker/bulkGet/bulkget (0.02s)
--- FAIL: TestSecretStoreConformance/aws.secretsmanager.docker/bulkGet (0.02s)
--- FAIL: TestSecretStoreConformance/aws.secretsmanager.docker (0.08s)
--- FAIL: TestSecretStoreConformance (0.08s)
elena-kolevska
dapr-bot
cicoyle
Description
The overall logic for this auth profile + it's proper rotation is completed. I just need to update to add a mock for the authprovider clients, update the rest of the existing tests, and wrap up adding new ones.
Summary: Add an auth profile for using AWS IAM Roles Anywhere. This leverages x.509 certificates to establish trust between an AWS account and a trusted certificate authority. Here, we can use the Dapr SVID very nicely.
I had to do an overhaul on the existing AWS IAM setup because now it is the case that there is the existing static IAM auth with things like accesskeys, secretkeys, etc. However, now, I'm adding temporary auth that Dapr is responsible for rotating. Default expiration time with AWS for IAM Roles Anywhere session durations is 1hour, so that is our default with a rotation when we've hit half of that time in a goroutine if that auth profile is picked up. If a user sets a session duration for timeout, then we will not rotate the credentials.
This applies to all existing AWS components.
I plan to add for Postgres + Kafka in a secondary PR since this one is already so beefy.
Issue reference
We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.
Please reference the issue this PR will close: #[issue number]
Checklist
Please make sure you've completed the relevant tasks for this PR, out of the following list: