spring-cloud-aws icon indicating copy to clipboard operation
spring-cloud-aws copied to clipboard

Published 20 hours ago verified publisher icon awspring

Support STS session Token

Open krisiye opened this issue 4 years ago • 5 comments

Type: Feature

Is your feature request related to a problem? Please describe. spring cloud aws does not support session token for the credentials manager. This will be useful to add for aws integrations using STS.

Describe the solution you'd like

  • Add support under org.springframework.cloud.aws.autoconfigure.context.properties.AwsCredentialsProperties for cloud.aws.credentials.sessionToken
  • Add support under org.springframework.cloud.aws.autoconfigure.context.ContextCredentialsAutoConfiguration for sessionToken to be provided to the credentials manager.
  • Support STS token rotation with spring cloud vault. (See issue linked below) Necessary bean's holding creds will need to be rebound/refreshed to pick up new accesskey, secretKey and sessionToken.

Describe alternatives you've considered NA

Additional context Related issue for vault: https://github.com/spring-cloud/spring-cloud-vault/issues/572

krisiye avatar Feb 17 '21 22:02 krisiye

I can't seem to get spring-cloud-aws to pick up my session token still - does the vault fix only apply if you are using Vault? If I am using spring-cloud-aws will I need to implement spring-cloud/spring-cloud-vault#575 on this repo as well?

GCHQDeveloper926 avatar May 27 '21 15:05 GCHQDeveloper926

That is expected and hence this issue. The referenced vault PR adds the capability to set the session token when using STS with vault. spring cloud aws already supported creds but not session token. Will have to implement something similar to what i have in the description to not only pick up session tokens but also support rotation.

krisiye avatar May 27 '21 16:05 krisiye

Are you using vault to solve this problem, or do you still have this problem with spring-cloud-aws? If I can use vault, so that when using spring-cloud-aws I can use an assumed role/session token that would be a good workaround, or I could look to implement what you originally described in the issue above

GCHQDeveloper926 avatar May 27 '21 21:05 GCHQDeveloper926

Vault aws backend was enhanced to support STS session tokens. As far as picking up these tokens and rotation is concerned, i am just using a custom refresh scope bean that is refreshed upon lease rotation. I have described the solution here - https://hmh.engineering/aws-sts-with-spring-cloud-vault-2d7fb0b82aaf Will be nice to implement the same within spring cloud aws.

krisiye avatar May 28 '21 04:05 krisiye

I didn't realise this was still open/I had re-poened it, Just raised #149 to track making this change with proposed changes.

GCHQDeveloper926 avatar Jun 10 '21 12:06 GCHQDeveloper926

Fixed in https://github.com/awspring/spring-cloud-aws/commit/d8b2fcdae59ef927eff61de088120b24e6e74f54

maciejwalkowiak avatar Apr 19 '23 09:04 maciejwalkowiak