-
Notifications
You must be signed in to change notification settings - Fork 509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(services/s3): environment/config role_arn ignored #4178 #4182
base: main
Are you sure you want to change the base?
Conversation
I remembered that it's by design that role_arn not loaded from env and config because of the different between AssumeRoleArn and AssumeRoleArnWithWebIdentityToken. Cc @everpcpc do you have comments on this change? |
Current behavior of AWS_ROLE_ARN envar for AWS CLI does currently only support WebIdentityToken roles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html skip to AWS_ROLE_ARN) However role_arn from a config file does support normal assumable roles, so if we want to mimic AWS CLI behavior, it needs to be different between env and config loading. |
I'm guessing this is another issue that reqsign doesn't support source_credential yet. |
But |
We only accept [profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1 or [profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata |
Maybe we could handle like this: |
Agreed. It's reqsign side work, let's migrate to there instead. |
@Xuanwo is this one supported in reqsign and opendal upgrade to that version? |
Not supported yet in reqsign. But anyway, it should be fixed in reqsign. |
Fixes #4178, which is a bug where the role_arn set by environment variables or config file is ignored for role assumption.