Add Config Parameter to Disable STS Credential Validation #50
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…for AWS credentials STS validation on startup
simonmarty
reviewed
Dec 20, 2024
|
Thanks for the contribution! I'm taking off work over the holidays so I'll probably get to reviewing this more closely in January. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #50 +/- ##
==========================================
+ Coverage 40.79% 40.87% +0.08%
==========================================
Files 15 15
Lines 8541 8560 +19
==========================================
+ Hits 3484 3499 +15
- Misses 5057 5061 +4 ☔ View full report in Codecov by Sentry. |
jirkafajfr
previously approved these changes
Dec 23, 2024
…ts to ensure proper configuration refactor(tests): remove redundant test for validate_credentials as it is already covered in other tests
simonmarty
requested changes
Jan 8, 2025
| Err(e) if config.ignore_transient_errors() && is_transient_error(&e) => (), | ||
| Err(e) => Err(e)?, | ||
| }; | ||
| // Only perform STS validation if enabled |
There was a problem hiding this comment.
You can remove that comment.
| let sts_client = aws_sdk_sts::Client::from_conf(sts_builder.build()); | ||
| match sts_client.get_caller_identity().send().await { | ||
| Ok(_) => (), | ||
| Err(e) if config.ignore_transient_errors() && is_transient_error(&e) => (), |
There was a problem hiding this comment.
Since this is a one-time startup check, let's not ignore transient errors.
| sts_builder.set_region(Some(Region::new(region.clone()))); | ||
| } | ||
|
|
||
| // Validate the region and credentials first |
There was a problem hiding this comment.
That comment can also be removed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available: #36
Description of changes:
This PR introduces a new configuration parameter, validate_credentials, that allows users to disable the STS GetCallerIdentity check performed during the startup of the AWS Secrets Manager agent. By default, the credential validation is enabled to ensure credentials are valid during initialization and to ensure backwards compatibility, but this parameter provides flexibility for environments where the validation may not be required.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.