-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rearrange security_token sources as AWS_SECURITY_TOKEN is deprecated (breaking change) #221
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: AWS_SECURITY_TOKEN | ||
- name: AWS_SESSION_TOKEN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a note in the description that this value is deprecated.
@tremble Agree the change looks sensible. We don't have unit test coverage for Thanks for this patch @nillovna! |
@jillr We might not have unit tests but we do have an integration test which tests the combination of get_aws_connection_info and connect_to_aws : https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/module_utils_ec2/roles/connect_to_aws/tasks/credentials.yml what we don't test right now is the relative priority of EC2_SESSION_TOKEN and EC2_SECURITY_TOKEN |
@nillovna Do you think you could tweak https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/module_utils_ec2/roles/connect_to_aws/tasks/credentials.yml to add a test that AWS_SESSION_TOKEN takes priority over AWS_SECURITY_TOKEN ? |
Digging into this a little further: It looks like our current behaviour mimics the botocore behaviour (wrt ordering) |
The next collection release of amazon.aws will be 2.0 (late May ETA), which can contain breaking changes. Comments and test failures will need to be addressed for this to be able to merge. |
@jillr Should we put this in the Jira backlog? |
@jillr, I'm inclined to close this PR. While the change would make a deprecated env var lower priority, this would go against the order botocore evaluates, and I think we're better sticking to boto3's priorities. |
@tremble I'm ok with that. It doesn't appear to be causing any notable problems for users and avoiding breaking changes is usually desirable. It was good to have folks that a look at this and now we know about the deprecation, thanks for raising awareness about this @nillovna! If boto3 changes the processing order and we need to revisit this we can revive the PR. |
…ollections#237) Files transferred to instances via the SSM connection plugin should use folders within the bucket that are namespaced per-host, to prevent collisions. Files should also be deleted from buckets when they are no longer required. Fixes: ansible-collections#221 Fixes: ansible-collections#222 Based on work by abeluck changelog
SUMMARY
Rearranges security_token sources as AWS_SECURITY_TOKEN is deprecated.
As mentioned in boto documentation (and a bunch of other SDKs)
AWS_SECURITY_TOKEN
environment variable can be considered deprecated, it is only supported for backward-compatibility purposes. OnlyAWS_SESSION_TOKEN
is mentioned as a session token environment variable in AWS documentation.So it is more logical to check
AWS_SESSION_TOKEN
beforeAWS_SECURITY_TOKEN
. EmptyAWS_SECURITY_TOKEN
could cause errors even ifAWS_SESSION_TOKEN
is defined.Some tools already removed
AWS_SECURITY_TOKEN
support. For example, there is an issue with saml2aws.ISSUE TYPE
COMPONENT NAME
plugins.module_utils.ec2
ADDITIONAL INFORMATION
The problem is fully described in Versent/saml2aws#586. The issue is caused by an empty
AWS_SECURITY_TOKEN
. DespiteAWS_SESSION_TOKEN
is defined, ansible uses deprecatedAWS_SECURITY_TOKEN
in the first place.