aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard
verified publisher icon aws

Proxy Configuration is not honored with AssumeRole credential

Open yanglei99 opened this issue 4 years ago • 2 comments

Describe the bug

When using AWSSecurityTokenServiceClientBuilder to getCallerIdentity, hit com.amazonaws.auth.profile.ProfileCredentialsProvider@74d31020: Unable to execute HTTP request: sts.amazonaws.com with http proxy setup and resume role credentials role_arn =

Expected Behavior

Expect the following code works with proxy ClientConfiguraton for credentials w/ and w/o assume role.

    AWSSecurityTokenServiceClientBuilder builder =
        AWSSecurityTokenServiceClientBuilder.standard();

    ClientConfiguration clientConfiguration = new ClientConfiguration();
    clientConfiguration
        .withProxyProtocol(Protocol.HTTP)
        .withProxyHost("localhost")
        .withProxyPort(8888);
    builder = builder.withClientConfiguration(clientConfiguration);
    builder = builder.withRegion("eu-west-3");
    GetCallerIdentityRequest req = new GetCallerIdentityRequest();
    AWSSecurityTokenService stsClient = builder.build();
    stsClient.getCallerIdentity(req);

Current Behavior

The above code works with credential without assume role, but with assume role fails with com.amazonaws.auth.profile.ProfileCredentialsProvider@74d31020: Unable to execute HTTP request: sts.amazonaws.com

As the STSAssumeRoleSessionCredentialsProvider builder is created without the initial client's ClientConfiguration. A new AWSSecurityTokenServiceClient is created with a new ClientConfiguration and AmazonHttpClient

Thread [main] (Suspended (breakpoint at line 560 in AWSSecurityTokenServiceClient))	
	AWSSecurityTokenServiceClient.assumeRole(AssumeRoleRequest) line: 560	
	STSAssumeRoleSessionCredentialsProvider.newSession() line: 321	
	STSAssumeRoleSessionCredentialsProvider.access$000(STSAssumeRoleSessionCredentialsProvider) line: 37	
	STSAssumeRoleSessionCredentialsProvider$1.call() line: 76	
	STSAssumeRoleSessionCredentialsProvider$1.call() line: 73	
	RefreshableTask<T>.refreshValue() line: 257	
	RefreshableTask<T>.blockingRefresh() line: 213	
	RefreshableTask<T>.getValue() line: 154	
	STSAssumeRoleSessionCredentialsProvider.getCredentials() line: 299	
	STSAssumeRoleSessionCredentialsProvider.getCredentials() line: 36	
	STSProfileCredentialsServiceProvider.getCredentials() line: 71	
	ProfileAssumeRoleCredentialsProvider.getCredentials() line: 51	
	ProfilesConfigFile.getCredentials(String) line: 162	
	ProfileCredentialsProvider.getCredentials() line: 161	
	DefaultAWSCredentialsProviderChain(AWSCredentialsProviderChain).getCredentials() line: 117	
	AmazonHttpClient$RequestExecutor<Output>.getCredentialsFromContext() line: 1251	
	AmazonHttpClient$RequestExecutor<Output>.runBeforeRequestHandlers() line: 827	
	AmazonHttpClient$RequestExecutor<Output>.doExecute() line: 777	
	AmazonHttpClient$RequestExecutor<Output>.executeWithTimer() line: 764	
	AmazonHttpClient$RequestExecutor<Output>.execute() line: 738	
	AmazonHttpClient$RequestExecutor<Output>.access$500(AmazonHttpClient$RequestExecutor) line: 698	
	AmazonHttpClient$RequestExecutionBuilderImpl.execute(HttpResponseHandler<Output>) line: 680	
	AmazonHttpClient.execute(Request<?>, HttpResponseHandler<AmazonWebServiceResponse<T>>, HttpResponseHandler<AmazonServiceException>, ExecutionContext, RequestConfig) line: 544	
	AmazonHttpClient.execute(Request<?>, HttpResponseHandler<AmazonWebServiceResponse<T>>, HttpResponseHandler<AmazonServiceException>, ExecutionContext) line: 524	
	AWSSecurityTokenServiceClient.doInvoke(Request<Y>, HttpResponseHandler<AmazonWebServiceResponse<X>>, ExecutionContext, URI, URI) line: 1719	
	AWSSecurityTokenServiceClient.invoke(Request<Y>, HttpResponseHandler<AmazonWebServiceResponse<X>>, ExecutionContext, URI, URI) line: 1686	
	AWSSecurityTokenServiceClient.invoke(Request<Y>, HttpResponseHandler<AmazonWebServiceResponse<X>>, ExecutionContext) line: 1675	
	AWSSecurityTokenServiceClient.executeGetCallerIdentity(GetCallerIdentityRequest) line: 1321	
	AWSSecurityTokenServiceClient.getCallerIdentity(GetCallerIdentityRequest) line: 1292	
	<obsolete method in<unknown declaring type>>	
	NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available [native method]	
	NativeMethodAccessorImpl.invoke(Object, Object[]) line: 62	
	DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43	
	Method.invoke(Object, Object...) line: 498	
	FrameworkMethod$1.runReflectiveCall() line: 59	
	FrameworkMethod$1(ReflectiveCallable).run() line: 12	
	FrameworkMethod.invokeExplosively(Object, Object...) line: 56	
	InvokeMethod.evaluate() line: 17	
	ParentRunner$3.evaluate() line: 306	
	BlockJUnit4ClassRunner$1.evaluate() line: 100	
	JUnit4(ParentRunner<T>).runLeaf(Statement, Description, RunNotifier) line: 366	
	JUnit4(BlockJUnit4ClassRunner).runChild(FrameworkMethod, RunNotifier) line: 103	
	JUnit4(BlockJUnit4ClassRunner).runChild(Object, RunNotifier) line: 63	
	ParentRunner$4.run() line: 331	
	ParentRunner$1.schedule(Runnable) line: 79	
	JUnit4(ParentRunner<T>).runChildren(RunNotifier) line: 329	
	ParentRunner<T>.access$100(ParentRunner, RunNotifier) line: 66	
	ParentRunner$2.evaluate() line: 293	
	ParentRunner$3.evaluate() line: 306	
	JUnit4(ParentRunner<T>).run(RunNotifier) line: 413	
	JUnit4TestReference.run(TestExecution) line: 89	
	TestExecution.run(ITestReference[]) line: 40	
	RemoteTestRunner.runTests(String[], String, TestExecution) line: 541	
	RemoteTestRunner.runTests(TestExecution) line: 768	
	RemoteTestRunner.run() line: 464	
	RemoteTestRunner.main(String[]) line: 210

Even though I can work around it by using HTTPS_PROXY setting, it is not acceptable for my use case. As I need to offer task level configuration, I can not use environment variable nor system property.

Steps to Reproduce

Run the above code within a docker container with only proxy access

Possible Solution

Context

The impact is , my product can not support assume role credentials with proxy server.

Your Environment

  • AWS Java SDK version used: 1.11.728
  • JDK version used: build 1.8.0_181-b13
  • Operating System and version:

yanglei99 avatar Apr 23 '21 19:04 yanglei99

@yanglei99 I'm sorry you're getting blocked by this. Your description is correct, the underlying STS client does not use the proxy configuration.

With the team focused in working in new features of Java SDK v2, this feature has more chance of being implemented in v2, we are tracking the feature request in https://github.com/aws/aws-sdk-java-v2/issues/751.

debora-ito avatar Apr 28 '21 23:04 debora-ito

What about injecting your own STS client config using withStsClient, like this:

AWSLambdaClientBuilder.standard()
          .withCredentials(new STSAssumeRoleSessionCredentialsProvider
              .Builder("some_role_arn", "stslambda")
              .withStsClient(AWSSecurityTokenServiceClientBuilder.standard()
                .withRegion("us-west-2")
                .withClientConfiguration(clientConfiguration)
                .build())
              .build())
          .withClientConfiguration(clientConfiguration)
          .withRegion("us-west-2")
       .build();

?

brankoterzicinstana avatar Oct 12 '21 10:10 brankoterzicinstana