Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rearrange security_token sources as AWS_SECURITY_TOKEN is deprecated (breaking change) #221

Closed
wants to merge 4 commits into from

Conversation

nillovna
Copy link

@nillovna nillovna commented Dec 22, 2020

SUMMARY

Rearranges security_token sources as AWS_SECURITY_TOKEN is deprecated.

As mentioned in boto documentation (and a bunch of other SDKs) AWS_SECURITY_TOKEN environment variable can be considered deprecated, it is only supported for backward-compatibility purposes. Only AWS_SESSION_TOKEN is mentioned as a session token environment variable in AWS documentation.
So it is more logical to check AWS_SESSION_TOKEN before AWS_SECURITY_TOKEN. Empty AWS_SECURITY_TOKEN could cause errors even if AWS_SESSION_TOKEN is defined.

Some tools already removed AWS_SECURITY_TOKEN support. For example, there is an issue with saml2aws.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

plugins.module_utils.ec2

ADDITIONAL INFORMATION

The problem is fully described in Versent/saml2aws#586. The issue is caused by an empty AWS_SECURITY_TOKEN. Despite AWS_SESSION_TOKEN is defined, ansible uses deprecated AWS_SECURITY_TOKEN in the first place.

Copy link
Contributor

@tremble tremble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm generally in favour of this, but definitely necessitates a changelog entry. I'd like to hear from @Jill / @goneri about when it would be appropriate to merge this.

- name: AWS_SECURITY_TOKEN
- name: AWS_SESSION_TOKEN
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a note in the description that this value is deprecated.

plugins/module_utils/ec2.py Show resolved Hide resolved
@ansibullbot ansibullbot added bug This issue/PR relates to a bug module_utils module_utils needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR new_contributor Help guide this first time contributor plugins plugin (any type) small_patch Hopefully easy to review labels Jan 13, 2021
@jillr
Copy link
Collaborator

jillr commented Jan 13, 2021

@tremble Agree the change looks sensible. We don't have unit test coverage for get_aws_connection_info() right now so we'll want to manually test the change to be safe, it would be great if we could get that covered at some point but that exceeds the scope of this change. I'm +1 once we have updated docs and a changelog.

Thanks for this patch @nillovna!

@tremble
Copy link
Contributor

tremble commented Jan 13, 2021

@jillr We might not have unit tests but we do have an integration test which tests the combination of get_aws_connection_info and connect_to_aws : https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/module_utils_ec2/roles/connect_to_aws/tasks/credentials.yml what we don't test right now is the relative priority of EC2_SESSION_TOKEN and EC2_SECURITY_TOKEN

@tremble
Copy link
Contributor

tremble commented Jan 13, 2021

@nillovna Do you think you could tweak https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/module_utils_ec2/roles/connect_to_aws/tasks/credentials.yml to add a test that AWS_SESSION_TOKEN takes priority over AWS_SECURITY_TOKEN ?

@tremble tremble changed the title Rearrange security_token sources as AWS_SECURITY_TOKEN is deprecated Rearrange security_token sources as AWS_SECURITY_TOKEN is deprecated (breaking change) Mar 11, 2021
@tremble
Copy link
Contributor

tremble commented Mar 11, 2021

Digging into this a little further:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L1051

It looks like our current behaviour mimics the botocore behaviour (wrt ordering)

@ansibullbot ansibullbot added integration tests/integration tests tests and removed small_patch Hopefully easy to review labels Mar 11, 2021
@jillr
Copy link
Collaborator

jillr commented Apr 29, 2021

The next collection release of amazon.aws will be 2.0 (late May ETA), which can contain breaking changes. Comments and test failures will need to be addressed for this to be able to merge.

@alinabuzachis
Copy link
Collaborator

@jillr Should we put this in the Jira backlog?

@tremble
Copy link
Contributor

tremble commented Aug 27, 2021

@jillr, I'm inclined to close this PR. While the change would make a deprecated env var lower priority, this would go against the order botocore evaluates, and I think we're better sticking to boto3's priorities.

@jillr
Copy link
Collaborator

jillr commented Aug 30, 2021

@tremble I'm ok with that. It doesn't appear to be causing any notable problems for users and avoiding breaking changes is usually desirable.

It was good to have folks that a look at this and now we know about the deprecation, thanks for raising awareness about this @nillovna! If boto3 changes the processing order and we need to revisit this we can revive the PR.

@jillr jillr closed this Aug 30, 2021
abikouo pushed a commit to abikouo/amazon.aws that referenced this pull request Oct 24, 2023
…ollections#237)

Files transferred to instances via the SSM connection plugin should use
folders within the bucket that are namespaced per-host, to prevent collisions.
Files should also be deleted from buckets when they are no longer required.

Fixes: ansible-collections#221
Fixes: ansible-collections#222

Based on work by abeluck

changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue/PR relates to a bug integration tests/integration module_utils module_utils needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR new_contributor Help guide this first time contributor plugins plugin (any type) priority/low tests tests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants