yoshidan
Add external account on ECS support.
The URL to obtain credential in ECS is different from EC2. Therefore, support has been added.
https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
Hello, I accidentally found this PR while exploring the design to implement AWS external account subject token for gcloud-sdk-rs(see https://github.com/abdolence/gcloud-sdk-rs/pull/172), which is another google cloud sdk crate.
I found the official AWS SDK provides the abstraction over credentials lookup mechanism named DefaultCredentialsChain.
It covers
- Environment variables: [
EnvironmentVariableCredentialsProvider] - Shared config (
~/.aws/config,~/.aws/credentials):SharedConfigCredentialsProvider - Web Identity Tokens
- ECS (IAM Roles for Tasks) & General HTTP credentials:
ecs - EC2 IMDSv2
Unless maintainers and you intentionally re-invent the wheel to avoid additional dependencies, I recommend using DefaultCredentialsChain in order to reduce maintenance burden and potential bugs.
https://github.com/awslabs/aws-sdk-rust/blob/a970bb68a57b8d44d2737b18897b95eaa49f7dd8/sdk/aws-config/src/default_provider/credentials.rs#L25
@i10416 Thank you for your suggestion. I will consider using aws-sdk-rust as I do not wish to reinvent the wheel.
@alu
Thank you for your contribution.
This crate is based on google-cloud-go. The original aws-provider.go in google-cloud-go doesn't have ECS support directly.
https://github.com/googleapis/google-cloud-go/blob/d8bc98307985b6db284e75e85ec5c7af87748c81/auth/credentials/internal/externalaccount/aws_provider.go#L247
Instead of including a specific ECS support implementation (e.g. 169.254.170.2) in this crate,
We would like to receive and execute the SecurityCredentialsProvider trait in the same way as the go implementation.
Then you should be able to use aws-sdk-rust.
