aws-sdk-rust icon indicating copy to clipboard operation
aws-sdk-rust copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Endpoint URL Not Respected By AssumeRoleProvider

Open tustvold opened this issue 1 year ago • 1 comments
trafficstars

Describe the bug

The AssumeRoleProvider created as part of loading credentials from a profile does not appear to respect the endpoint URL overrides, and continues to talk to sts.amazonaws.com

Expected Behavior

It should talk to the configured endpoint URL

Current Behavior

It talks to the default STS endpoint

Reproduction Steps

Create a file at /tmp/aws-config with the following content

[profile default]
aws_access_key_id = test
aws_secret_access_key = test

[profile messaging]
role_arn = arn:aws:iam::000000000000:role/messaging
role_session_name = messaging
source_profile = default

Then create a new Rust project with

Cargo.toml

[package]
name = "temp"
version = "0.1.0"
edition = "2021"

[dependencies]
aws-config = "1.5.6"
aws-credential-types = "1.2"
tokio = { version = "1.0", features = ["full"] }

src/main.rs

use aws_credential_types::provider::ProvideCredentials;

#[tokio::main]
async fn main() {
    let aws_config = aws_config::defaults(aws_config::BehaviorVersion::latest()).load().await;
    aws_config.credentials_provider().unwrap().provide_credentials().await.unwrap();
}

Run it with

export AWS_ENDPOINT_URL=http://127.0.0.1:4566
export AWS_CONFIG_FILE=/tmp/aws-config
export AWS_PROFILE=messaging
cargo run

Get the following error

called `Result::unwrap()` on an `Err` value: ProviderError(ProviderError { source: ProviderError(ProviderError { source: ServiceError(ServiceError { source: Unhandled(Unhandled { source: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) }, meta: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) } }), raw: Response { status: StatusCode(403), headers: Headers { headers: {"x-amzn-requestid": HeaderValue { _private: H0("64665aaf-2926-429c-999d-6f22f439d5e3") }, "content-type": HeaderValue { _private: H0("text/xml") }, "content-length": HeaderValue { _private: H0("306") }, "date": HeaderValue { _private: H0("Thu, 19 Sep 2024 16:19:07 GMT") }} }, body: SdkBody { inner: Once(Some(b"<ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <Error>\n    <Type>Sender</Type>\n    <Code>InvalidClientTokenId</Code>\n    <Message>The security token included in the request is invalid.</Message>\n  </Error>\n  <RequestId>64665aaf-2926-429c-999d-6f22f439d5e3</RequestId>\n</ErrorResponse>\n")), retryable: true }, extensions: Extensions { extensions_02x: Extensions, extensions_1x: Extensions } } }) }) })

Crucially this does not require localstack to be running, as it completely ignores the configured endpoint URL

Possible Solution

No response

Additional Information/Context

https://github.com/awslabs/aws-sdk-rust/issues/921 is related, but it would appear https://github.com/smithy-lang/smithy-rs/pull/3014 was only a partial fix

Version

aws-config = 1.5.6
aws-credential-types = 1.2.1

Environment details (OS name and version, etc.)

x86_64 GNU/Linux

Logs

No response

tustvold avatar Sep 19 '24 16:09 tustvold