Skip to content

Add external account on ECS support. #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add external account on ECS support. #324

wants to merge 2 commits into from

Conversation

@alu
Copy link

@alu alu commented Nov 20, 2024

The URL to obtain credential in ECS is different from EC2.
Therefore, support has been added.

https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html

@yoshidan yoshidan added the safe to test safe to test label Nov 24, 2024
@i10416
Copy link

i10416 commented Nov 27, 2024
edited
Loading

Hello, I accidentally found this PR while exploring the design to implement AWS external account subject token for gcloud-sdk-rs(see abdolence/gcloud-sdk-rs#172), which is another google cloud sdk crate.

I found the official AWS SDK provides the abstraction over credentials lookup mechanism named DefaultCredentialsChain.

It covers

  1. Environment variables: [EnvironmentVariableCredentialsProvider]
  2. Shared config (~/.aws/config, ~/.aws/credentials): SharedConfigCredentialsProvider
  3. Web Identity Tokens
  4. ECS (IAM Roles for Tasks) & General HTTP credentials: ecs
  5. EC2 IMDSv2

Unless maintainers and you intentionally re-invent the wheel to avoid additional dependencies, I recommend using DefaultCredentialsChain in order to reduce maintenance burden and potential bugs.

https://github.com/awslabs/aws-sdk-rust/blob/a970bb68a57b8d44d2737b18897b95eaa49f7dd8/sdk/aws-config/src/default_provider/credentials.rs#L25

@yoshidan
Copy link
Owner

yoshidan commented Nov 28, 2024
edited
Loading

@i10416
Thank you for your suggestion. I will consider using aws-sdk-rust as I do not wish to reinvent the wheel.

@alu
Thank you for your contribution.
This crate is based on google-cloud-go. The original aws-provider.go in google-cloud-go doesn't have ECS support directly.
https://github.com/googleapis/google-cloud-go/blob/d8bc98307985b6db284e75e85ec5c7af87748c81/auth/credentials/internal/externalaccount/aws_provider.go#L247

Instead of including a specific ECS support implementation (e.g. 169.254.170.2) in this crate,
We would like to receive and execute the SecurityCredentialsProvider trait in the same way as the go implementation.
Then you should be able to use aws-sdk-rust.

@alu
Copy link
Author

alu commented Dec 2, 2024

@yoshidan So what should I do? Is there anything I can do to help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

safe to test safe to test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alu @i10416 @yoshidan