Cannot use WebIdentityToken credentials

[ofeki-neosec]

Help us help you

We'd like to know more about your Tink deployment.

Describe the bug: When using WebIdentityTokens, I get the following message in debug:

AWSCredentialsProviderChain - Unable to load credentials from WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path.

This does not allow me to use Tink in EKS with IRSA enabled.

What was the expected behavior? I want Tink to be able to use WebIdentityTokens and it needs the aws-java-sdk-sts module must be on the class path to do that.

How can we reproduce the bug? Try to use Tink in EKS with IRSA.

Do you have any debugging information?

If applicable, include error messages, stack traces, or any other debugging information.

What version of Tink are you using?

1.6.1, but I don't see the fix was deployed in 1.7.0 either.

Can you tell us more about your development environment?

JDK 11

Is there anything else you'd like to add?

The solution is to add aws-java-sdk-sts to the list of dependencies for this module. I tried adding it as a dependency to my program but it didn't do the trick.

[morambro]

Hi ofeki-neosec@, I tried to reproduce the issue. I've made a simple modification to the tink-java-awskms example from tink-java-awskms@HEAD adding:

    KmsClient c = new AwsKmsClient()
      .withCredentialsProvider(new WebIdentityTokenCredentialsProvider());
    String ciphertext = c.getAead(masterKeyUri).encrypt(plaintext, associatedData);

and modifying examples/maven/pom.xml to use tink-java@1.9.0 and tink-java-awkms@1.8.0.

Building/testing with:

readonly AWS_CREDENTIALS="testdata/aws/credentials.cred"
readonly AWS_TEST_KEY_URI="aws-kms://arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f"

# Run the local test Maven example.
mvn package --no-snapshot-updates -f examples/maven/pom.xml
mvn exec:java --no-snapshot-updates -f examples/maven/pom.xml \
  -Dexec.args="keyset.json ${AWS_CREDENTIALS} ${AWS_TEST_KEY_URI}"

I get exactly the same error:

Caused by: com.amazonaws.SdkClientException: To use assume role profiles the aws-java-sdk-sts module must be on the class path.
...
Caused by: java.lang.ClassNotFoundException: com.amazonaws.services.securitytoken.internal.STSProfileCredentialsService
    at java.net.URLClassLoader.findClass (URLClassLoader.java:476)
    at java.lang.ClassLoader.loadClass (ClassLoader.java:589)
    at java.lang.ClassLoader.loadClass (ClassLoader.java:522)
    at java.lang.Class.forName0 (Native Method)
    at java.lang.Class.forName (Class.java:315)

However, when I add the following:

    <dependency>
      <groupId>com.amazonaws</groupId>
      <artifactId>aws-java-sdk-sts</artifactId>
      <version>1.12.501</version>
    </dependency>

to the example's pom file, I no longer get this error (I do get another unrelated one though due to not setting credentials correctly).

How are you adding aws-java-sdk-sts to your classpath? Could you please provide some more details of your setting?

[morambro]

Hi @ofeki-neosec is this still an issue for your setting?

[whoisdan]

We recently encountered the same issue - got the same exact error message as @ofeki-neosec did, added the 'aws-java-sdk-sts' dependency to the pom.xml file but the error didn't go away.

We use the Maven Shade plugin to build a uber jar for deployment, and set the minimizeJar to true. It turned out the minimizing process decided the application didn't need the sts dependency, probably because the contact-point class 'STSProfileCredentialsService' is dynamically loaded and instantiated by name.

Therefore the solution to our problem is to specifically mark the aws-java-sdk-sts artifact for inclusion in a filter (supported since plugin version 1.6). If your project utilizes any shading/minimizing features you could look into them and see if that's the cause of your issue.