Open sudrao opened 2 years ago
mattcree
commented
2 years ago I was getting this issue using the AssumeRoleCredentialsAdapter and I discovered we were configuring ex_aws in two different places. When I removed the second configuration, this bug never happened again.
vanetix
commented
2 years ago Hey @sudrao thanks for the contribution, and sorry for the delayed response! I'm not super familiar with this particular configuration, so I'll spend some time setting up a reproduction of the issue.
ahamez
commented
2 years ago FWIW: we had no trouble using ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter with EKS, even without this PR.
smoggach-nl
commented
1 year ago I encountered the recursive loop and these changes fixed my issue.
RobinFrcd
commented
1 year ago @ahamez Are you able to tell how you made it work ? I tried:
config :ex_aws,
access_key_id: [{:awscli, "profile_name", 30}, {:system, "AWS_ACCESS_KEY_ID"}, :instance_role],
secret_access_key: [{:awscli, "profile_name", 30}, {:system, "AWS_SECRET_ACCESS_KEY"}, :instance_role],
region: [{:awscli, "profile_name", 30}, {:system, "AWS_REGION"}, :instance_role],
awscli_auth_adapter: ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapterbut it didn't work.
Thanks
ahamez
commented
1 year ago @RobinFrcd Sorry, it's been so long ago that I can't remember and I don't have access to the relevant code anymore 😬
AWS needs a "security_token" in the request when using AssumeRoleWebIdentity on EKS. But if we try to set it using ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter, there is a recursive loop from AssumeRoleWebIdentityAdapter to ExAws.request() and back to itself.
By using the same technique used for access_key_id and secret_access_key, i.e. set those config value to a dummy string, we can prevent the recursive callback and have a security_token set by the adapter.
I did try running tests but some of them were failing without my change.