Open sudrao opened 2 years ago
I was getting this issue using the AssumeRoleCredentialsAdapter and I discovered we were configuring ex_aws
in two different places. When I removed the second configuration, this bug never happened again.
Hey @sudrao thanks for the contribution, and sorry for the delayed response! I'm not super familiar with this particular configuration, so I'll spend some time setting up a reproduction of the issue.
FWIW: we had no trouble using ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter
with EKS, even without this PR.
I encountered the recursive loop and these changes fixed my issue.
@ahamez Are you able to tell how you made it work ? I tried:
config :ex_aws,
access_key_id: [{:awscli, "profile_name", 30}, {:system, "AWS_ACCESS_KEY_ID"}, :instance_role],
secret_access_key: [{:awscli, "profile_name", 30}, {:system, "AWS_SECRET_ACCESS_KEY"}, :instance_role],
region: [{:awscli, "profile_name", 30}, {:system, "AWS_REGION"}, :instance_role],
awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter
but it didn't work.
Thanks
@RobinFrcd Sorry, it's been so long ago that I can't remember and I don't have access to the relevant code anymore 😬
AWS needs a "security_token" in the request when using AssumeRoleWebIdentity on EKS. But if we try to set it using ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter, there is a recursive loop from AssumeRoleWebIdentityAdapter to ExAws.request() and back to itself.
By using the same technique used for access_key_id and secret_access_key, i.e. set those config value to a dummy string, we can prevent the recursive callback and have a security_token set by the adapter.
I did try running tests but some of them were failing without my change.