webnet
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wif: add AWS ecs for autogenerated OIDC tokens

Browse Source 
Adds the ability to detect when running on AWS ECS and fetch tokens from
the ECS metadata endpoints in addition to IMDSv2

Fixes #18909

Signed-off-by: Patrick Guinard <patrick@public.com>
main
Patrick Guinard 1 month ago committed by Mario Minardi
parent 33da8a8d68
commit 18983eca66
1 changed files with 14 additions and 7 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 21
      wif/wif.go

21
wif/wif.go
Unescape View File

@ -40,7 +40,8 @@ const (
// 1. GitHub Actions (strongest env signals; may run atop any cloud) // 1. GitHub Actions (strongest env signals; may run atop any cloud)
// 2. AWS via IMDSv2 token endpoint (does not require env vars) // 2. AWS via IMDSv2 token endpoint (does not require env vars)
// 3. GCP via metadata header semantics // 3. GCP via metadata header semantics
// 4. Azure via metadata endpoint // 4. AWS ECS via ECS token endpoint and env vars provided by ECS
// 5. Azure via metadata endpoint
func ObtainProviderToken(ctx context.Context, audience string) (string, error) { func ObtainProviderToken(ctx context.Context, audience string) (string, error) {
env := detectEnvironment(ctx) env := detectEnvironment(ctx)
@ -69,6 +70,9 @@ func detectEnvironment(ctx context.Context) Environment {
if detectGCPMetadata(ctx, client) { if detectGCPMetadata(ctx, client) {
return EnvGCP return EnvGCP
} }
if os.Getenv("ECS_CONTAINER_METADATA_URI_V4") != "" {
return EnvAWS
}
return EnvNone return EnvNone
} }
@ -163,7 +167,7 @@ func acquireGitHubActionsIDToken(ctx context.Context, audience string) (string,
} }
func acquireAWSWebIdentityToken(ctx context.Context, audience string) (string, error) { func acquireAWSWebIdentityToken(ctx context.Context, audience string) (string, error) {
// LoadDefaultConfig wires up the default credential chain (incl. IMDS). // LoadDefaultConfig wires up the default credential chain (incl. IMDS and ECS metadata).
cfg, err := config.LoadDefaultConfig(ctx) cfg, err := config.LoadDefaultConfig(ctx)
if err != nil { if err != nil {
return "", fmt.Errorf("load aws config: %w", err) return "", fmt.Errorf("load aws config: %w", err)
@ -174,12 +178,15 @@ func acquireAWSWebIdentityToken(ctx context.Context, audience string) (string, e
return "", fmt.Errorf("AWS credentials unavailable (instance profile/IMDS?): %w", err) return "", fmt.Errorf("AWS credentials unavailable (instance profile/IMDS?): %w", err)
} }
imdsClient := imds.NewFromConfig(cfg) // ECS does not have IMDS; region must come from AWS_DEFAULT_REGION or AWS_REGION,
region, err := imdsClient.GetRegion(ctx, &imds.GetRegionInput{}) if cfg.Region == "" {
if err != nil { imdsClient := imds.NewFromConfig(cfg)
return "", fmt.Errorf("couldn't get AWS region: %w", err) region, err := imdsClient.GetRegion(ctx, &imds.GetRegionInput{})
if err != nil {
return "", fmt.Errorf("couldn't get AWS region: %w", err)
}
cfg.Region = region.Region
} }
cfg.Region = region.Region
stsClient := sts.NewFromConfig(cfg) stsClient := sts.NewFromConfig(cfg)
in := &sts.GetWebIdentityTokenInput{ in := &sts.GetWebIdentityTokenInput{

Write Preview
Loading…
Cancel
Save