apache
fix(services/s3): environment/config role_arn ignored #4178
Fixes #4178, which is a bug where the role_arn set by environment variables or config file is ignored for role assumption.
I remembered that it's by design that role_arn not loaded from env and config because of the different between AssumeRoleArn and AssumeRoleArnWithWebIdentityToken.
Cc @everpcpc do you have comments on this change?
Current behavior of AWS_ROLE_ARN envar for AWS CLI does currently only support WebIdentityToken roles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html skip to AWS_ROLE_ARN)
However role_arn from a config file does support normal assumable roles, so if we want to mimic AWS CLI behavior, it needs to be different between env and config loading.
However role_arn from a config file does support normal assumable roles, so if we want to mimic AWS CLI behavior, it needs to be different between env and config loading.
I'm guessing this is another issue that reqsign doesn't support source_credential yet.
But
source_credentialis already supported by reqsign?
We only accept source_credential in AssumeRoleLoader. This doesn't work while user have config like:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1
or
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata
Maybe we could handle like this: https://github.com/boto/botocore/blob/7fd4057baac5298fbf594980f618a57dd51b71ad/botocore/credentials.py#L1485
Maybe we could handle like this: boto/botocore@
7fd4057/botocore/credentials.py#L1485
Agreed. It's reqsign side work, let's migrate to there instead.
@Xuanwo is this one supported in reqsign and opendal upgrade to that version?
@Xuanwo is this one supported in reqsign and opendal upgrade to that version?
Not supported yet in reqsign. But anyway, it should be fixed in reqsign.