aws-sdk-cpp
aws-sdk-cpp copied to clipboard
aws
STS does not respect ca cert setting
Describe the bug
https://github.com/aws/aws-sdk-cpp/blob/e9d0d247be909ade39f213a3e2915aa262755a78/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp#L110
The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting
Expected Behavior
All authentication respects caPath and caFile setting.
Current Behavior
The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting
Reproduction Steps
In the below code, caFile is pointed to wrong ca file. Yet STS auth should still be able to return a valid token yet the connection to the storage should fail.
Aws::Client::ClientConfiguration config;
config.caFile = "WRONG_CA_FILE";
Aws::S3::S3Client s3_client(config, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never, false);
Aws::S3::Model::ListObjectsV2Request objects_request;
objects_request.WithBucket("abc");
auto list_objects_outcome = s3_client.ListObjectsV2(objects_request);
Possible Solution
No response
Additional Information/Context
No response
AWS CPP SDK version used
1.11.201
Compiler and Version used
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Operating System and version
Ubuntu 22.04
Thanks for pointing this out to us. This is a problem with how the sts client was written, and will require a significant refactor of the sts client. This has been added to our backlog, but this is not something that will get completed this quarter. I don't have a timeline for when fixed, but I will update here when it does. Sorry for the delay
It appears I am not able to use IRSA in my EKS cluster for my C++ application because it requires a call to STS to fetch credentials using a web identity token. Is there any workaround?
@ryansburgoyne could you open a discussion and provide more details about what exactly you are trying to do?