Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awsauth: Enable ECS credential provider when AWS_CONTAINER_CREDENTIALS_FULL_URI env var is defined #6

Closed
wants to merge 1 commit into from
Closed

awsauth: Enable ECS credential provider when AWS_CONTAINER_CREDENTIALS_FULL_URI env var is defined #6

wants to merge 1 commit into from

Conversation

jstewmon
Copy link

@hashicorp-cla
Copy link

hashicorp-cla commented May 29, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

@bflad
Copy link
Contributor

bflad commented Jun 13, 2019

Hi @jstewmon 👋 Thanks so much for submitting this. At quick glance, this appears like it would be an acceptable change, but to fully disclose that #5 (comment) is likely relevant here as well. 😕 We certainly don't want to leave this pull request lingering just due to our existing lack of testing though.

To that end, could you please provide the relevant environment setup (presumably something like running Terraform on an ECS Cluster) and Terraform AWS Provider configuration so we can verify this particular change has the intended effect? Thank you.

@jstewmon
Copy link
Author

jstewmon commented Jun 13, 2019
edited
Loading

Hi @bflad , thanks for taking a look!

The impetus for this PR is another PR that I made for aws-vault: 99designs/aws-vault#375

I've used this technique with the aws cli and other tools built atop aws SDKs in the past, and in the course of testing my changes to aws-vault, I found that it did not work with terraform due to this library not enabling the remote credential provider when AWS_CONTAINER_CREDENTIALS_FULL_URI is defined.

So, one method of testing is with aws-vault built from my feature branch:

git clone git@github.com:jstewmon/aws-vault.git
cd aws-vault
git checkout ecs-server
go mod vendor
go build
./aws-vault add <some profile>
aws-vault exec --ecs-server <some profile> -- terraform plan

TBH, I'm not actually sure when a task run by ECS would use AWS_CONTAINER_CREDENTIALS_FULL_URI vs AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, so I'm hopeful that you'll find my suggestion of testing with aws-vault a viable route. 😅

@jstewmon jstewmon mentioned this pull request May 1, 2020
Closed
@bflad
Copy link
Contributor

bflad commented Jun 2, 2020

Just to followup here, this pull request may be superseded by #20. That change will cause the default AWS Go SDK credential handlers (which include handling for this environment variable before attempting EC2 metadata) to automatically be executed before this logic is called. 👍

@bflad bflad self-assigned this Jun 2, 2020
@jstewmon
Copy link
Author

jstewmon commented Jun 2, 2020

@bflad I haven't had a chance to personally verify it, but it seems that #5 already resolved this issue, at least in some cases. I'm content to close this PR, since the immediate problem I had is resolved and more work is underway to further improves credential provider handling.

@jstewmon jstewmon closed this Jun 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bflad bflad

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jstewmon @hashicorp-cla @bflad