aws-sdk-go-v2 icon indicating copy to clipboard operation
aws-sdk-go-v2 copied to clipboard

Published 20 hours ago verified publisher icon aws

StaticCredentialsProvider and SessionTokens

Open th11 opened this issue 4 years ago • 3 comments

Confirm by changing [ ] to [x] below:

Describe the question

Why does the NewStaticCredentialsProvider take a SessionToken if the StaticCredentialsProvider is a set of credentials that will never expire? By definition, SessionTokens expire.

// A StaticCredentialsProvider is a set of credentials which are set, and will
// never expire.
type StaticCredentialsProvider struct {
	Value aws.Credentials
}

// NewStaticCredentialsProvider return a StaticCredentialsProvider initialized with the AWS
// credentials passed in.
func NewStaticCredentialsProvider(key, secret, session string) StaticCredentialsProvider {
	return StaticCredentialsProvider{
		Value: aws.Credentials{
			AccessKeyID:     key,
			SecretAccessKey: secret,
			SessionToken:    session,
		},
	}
}

https://github.com/aws/aws-sdk-go-v2/blob/f8d40e3f2986a7e65e515c9c3ae06c07efc7d887/credentials/static_provider.go#L21-L37

th11 avatar Oct 19 '21 01:10 th11

Hi @th11 , So, that is there for temporary security credentials retrieved via STS, if that''s not the use case can (and should) put an empty string there. So yea, don't know if I misunderstood something in the question but let me know if I did or if you have other questions.

KaibaLopez avatar Oct 19 '21 23:10 KaibaLopez

@KaibaLopez - thanks for your reply. It doesn't look like this implementation supports temporary credentials because aws.Credentials.CanExpire and aws.Credentials.Expires are never set. Therefore, when wrapped in the CredentialsCache they never expire as far as I can tell. Is this the intended behavior?

th11 avatar Oct 20 '21 00:10 th11

Ok I see your point, yea the StaticCredentialsProvider does not set expiration and as a short answer to the question, yes, manually modifying these values once the credentials are returned is the intended behavior.

That being said, it makes sense to me that if you provide a session token you'd expect these values to be assigned, so maybe this could be a feature request or a PR to account for that.

KaibaLopez avatar Oct 20 '21 18:10 KaibaLopez

Closing as original question has been answered. A static credential provider is easy to recreate should the one shipped with the SDK not meet your needs.

aajtodd avatar Feb 21 '23 13:02 aajtodd

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Feb 21 '23 13:02 github-actions[bot]