-
Notifications
You must be signed in to change notification settings - Fork 642
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Customer issue: STS Assume Role signature mismatch #914
Comments
Just for information, I got the same problem with |
@gmauleon are you consistently running into this issue or is it periodically occurring? In addition, what AWS region is your application configured for when it encounters this error? |
Consistent on my side. I shelved it and planned to use v1 for the time being but could certainly retry it this week if you need more informations. |
Thanks for the update @gmauleon. I'm trying to reproduce this issue, but not able to with latest release version v0.30.0, and HEAD of the v2 SDK repo. package main
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/sts"
)
func main() {
if err := do(); err != nil {
log.Fatal(err)
}
}
func do() error {
cfg, err := config.LoadDefaultConfig(
config.WithRegion("us-west-2"),
config.WithClientLogMode(aws.LogSigning),
)
if err != nil {
return err
}
stsclient := sts.NewFromConfig(cfg)
role := fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, roleName)
provider := stscreds.NewAssumeRoleProvider(stsclient, role)
// SDK tip:
cfg.Credentials = aws.NewCredentialsCache(provider)
// SDK v0.30.0
cfg.Credentials = &aws.CredentialsCache{Provider: provider}
creds, err := cfg.Credentials.Retrieve(context.Background())
if err != nil {
return fmt.Errorf("failed to get credentials, %w", err)
}
log.Println("Credentials ", creds.AccessKeyID, creds.Source)
return nil
} I'm using the following sample code to reproduce this issue. If you have a sample that is able to reproduce this problem that would be very helpful to investigate this issue. # Update to the tip of the smithy-go currently, `511e8c85`
go get github.com/awslabs/smithy-go@ac098bf4
# Update to the tip of the SDK currently, `511e8c85`
go get github.com/aws/aws-sdk-go-v2@511e8c85
go get github.com/aws/aws-sdk-go-v2/service/sts@511e8c85
go get github.com/aws/aws-sdk-go-v2/credentials@511e8c85
go get github.com/aws/aws-sdk-go-v2/config@511e8c85 |
The only way I've been able to reproduce this is when the original |
Thanks a lot for looking into this, I'll be out and will not be able to
look at it until most likely January, sorry about that :(
I'll see if I can look at my code next week but no promises.
Have some happy holidays Jason!
…On 2020-12-18 3:08 p.m., Jason Del Ponte wrote:
The only way I've been able to reproduce this is when the original
|LoadDefaultConfig| is unable to retrieve credentials to do the assume
role with. Could you looking if the |cfg.Credentials| value is a
aws.AnonymousCredentials
<https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/#AnonymousCredentials>,
or |nil|?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#914 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACMH332WJEZOTE57W452TKDSVOZFFANCNFSM4T2Z7BHA>.
|
Using v0.4, I'm getting the same issue (I think)
And then directly try to use it:
But if in between I add the following, everything works fine.... Any idea why?
|
Thanks for the update @Chandrian I've been able to reproduce the issue with the following example using your provided input. func main() {
if err := countBuckets(context.TODO()); err != nil {
log.Fatal(err)
}
}
func countBuckets(ctx context.Context) error {
cfg, err := config.LoadDefaultConfig(ctx,
config.WithRegion("us-west-2"),
config.WithClientLogMode(aws.LogSigning|aws.LogRequest|aws.LogResponseWithBody),
)
if err != nil {
return fmt.Errorf("failed to load config, %w", err)
}
const role = "arn:aws:iam::<account>:role/S3ReadOnly"
stsClient := sts.NewFromConfig(cfg)
provider := stscreds.NewAssumeRoleProvider(stsClient, role)
cfg.Credentials = aws.NewCredentialsCache(provider)
s3Client := s3.NewFromConfig(cfg)
result, err := s3Client.ListBuckets(ctx, nil)
if err != nil {
return fmt.Errorf("failed to list buckets, %w", err)
}
log.Println("buckets", len(result.Buckets))
return nil
} Log output of request
|
Yes, without the retrieve it does happen 100% of the time. with the retrieve, it never happens |
Looks like the issue causing the signature to be invalid is that something is preventing the SDK from computing the |
The issue is occurring because the SDK is effectively polluting of the We're working on a fix for this bug, and will update this issue when a fix is available. With that said the following is a workaround that will ensure the content-sha256 value will be cleared for nested operations like the STS assume role. Custom middleware that clears the content-shaw256 context value. type clearContextContentSha256 struct{}
func (clearContextContentSha256) ID() string {
return "clear content-sha256 workaround"
}
func (clearContextContentSha256) HandleInitialize(
ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) (
out middleware.InitializeOutput, metadata middleware.Metadata, err error,
) {
ctx = v4.SetPayloadHash(ctx, "")
return next.HandleInitialize(ctx, in)
} This is then used when loading the config to ensure all operations don't pollute nested operation calls. cfg, err := config.LoadDefaultConfig(ctx,
config.WithRegion("us-west-2"),
config.WithClientLogMode(aws.LogSigning|aws.LogRequestWithBody|aws.LogResponseWithBody),
config.WithAPIOptions([]func(stack *middleware.Stack) error{
func(stack *middleware.Stack) error {
return stack.Initialize.Add(clearContextContentSha256{}, middleware.Before)
},
}),
)
if err != nil {
return fmt.Errorf("failed to load config, %w", err)
} |
I tried the workaround and it is working! Thank you for the quick turn around on this! |
Adds utilities for values that are intended to be scoped to individual stacks. Provides utilities for bulk clearing these values as well. Related to aws/aws-sdk-go-v2#914
Adds utilities for values that are intended to be scoped to individual stacks. Provides utilities for bulk clearing these values as well. Related to aws/aws-sdk-go-v2#914
Updates the SDK's middleware metadata to be scoped to the individual stack's execution. This ensures that operations invoked nested within a stack will not be polluted with values from parent stack(s). Fixes #914
Adds utilities for values that are intended to be scoped to individual stacks. Provides utilities for bulk clearing these values as well. Related to aws/aws-sdk-go-v2#914
Updates the SDK's middleware metadata to be scoped to the individual stack's execution. This ensures that operations invoked nested within a stack will not be polluted with values from parent stack(s). Fixes #914
Updates the SDK's middleware metadata to be scoped to the individual stack's execution. This ensures that operations invoked nested within a stack will not be polluted with values from parent stack(s). Fixes #914
|
Customer reported signature mismatch error when assuming role via STS, need to investigate the same.
Customer issue: #883 (comment)
Reproducible code as provided by customer: #883 (comment)
The text was updated successfully, but these errors were encountered: