feat: Update STS web identity credentials provider & add integration test #1327
Conversation
sichanyoo
had a problem deploying
to
Codegen-Build-Test
GitHub Actions
Failure
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
…g Github's red highlight.
sichanyoo
had a problem deploying
to
Codegen-Build-Test
GitHub Actions
Failure
sichanyoo
had a problem deploying
to
Integration-Test
GitHub Actions
Failure
sichanyoo
had a problem deploying
to
Integration-Test
GitHub Actions
Failure
sichanyoo
had a problem deploying
to
Integration-Test
GitHub Actions
Failure
sichanyoo
had a problem deploying
to
Integration-Test
GitHub Actions
Failure
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Codegen-Build-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
|
|
||
| // Helper methods for saving & deleting token file | ||
| private func saveTokenIntoFile() throws { | ||
| tokenFilePath = NSHomeDirectory() + "/token.txt" |
There was a problem hiding this comment.
We might want to use FileManager.default.temporaryDirectory instead of NSHomeDirectory()
There was a problem hiding this comment.
Changed as suggested.
| import Foundation | ||
|
|
||
| /// Tests STS web identity credentials provider using STS::getCallerIdentity. | ||
| class STSWebIdentityCredentialsProviderTests: XCTestCase { |
There was a problem hiding this comment.
Can we move helpers and role information to a separate file so that this file is easier to read
There was a problem hiding this comment.
I'd rather keep stuff for this integration test confined to one file. I'll go ahead and refactor stuff into more helper methods and locate them all at bottom of file for better readability.
| // This wait is necessary for role creation to propagate everywhere | ||
| let seconds = 10 | ||
| let NSEC_PER_SEC = 1_000_000_000 | ||
| try await Task.sleep(nanoseconds: UInt64(seconds * NSEC_PER_SEC)) |
There was a problem hiding this comment.
We shouldn't introduce anything non-deterministic in our integration tests if we can help it. A better approach would be to poll IAM to see if the role was created successfully.
Example using getRole:
func isRoleReady(iamClient: IAMClient, roleName: String) async -> Bool {
do {
let response = try await iamClient.getRole(input: GetRoleInput(roleName: roleName))
return response.role != nil
} catch {
return false
}
}
Then you can setup a function that calls isRoleReady every X seconds using Task.sleep until a configured timeout (if after X seconds/minutes the role is still not there, throw an error).
There was a problem hiding this comment.
It definitely would be ideal to have some polling mechanism like the one you suggested instead of a fixed wait behavior, but getRole doesn't serve our purpose here (nor does any other IAM API). That's because changes to IAM entities become available to IAM API immediately BUT it takes time for that info to propagate everywhere. With 7 second wait it reliably passed every time on local machine, so I made it 10 just to be safe. Here's a relevant stackoverflow discussion if you'd like to read more about it.
There was a problem hiding this comment.
Also see if there is a waiter defined on the service for the resource you are waiting on.
Check the Kinesis integration test: it uses a predefined waiter and manual waiting in two stages of the test to ensure conditions are met before proceeding.
There was a problem hiding this comment.
Tried the waiters and they don't serve the polling purpose in this instance for the same reasons explained above, as expected. Unless IAM provides some sort of API where it shows IAM identity's propagation status, I don't think it's possible to poll this info.
There was a problem hiding this comment.
Okay, we can try this live in CI for a while, but we'll have to revisit this test if it causes spurious failures in practice.
With the size & complexity of our test suite, we can't afford even a small number of flaky tests.
| // Confirm STS web identity credentials provider gave valid credentials | ||
| // ...by checking response was returned successfully. |
There was a problem hiding this comment.
Make use of Swift's multi-line comments instead of ...
There was a problem hiding this comment.
Changed as suggested.
sichanyoo
had a problem deploying
to
Codegen-Build-Test
GitHub Actions
Failure
sichanyoo
had a problem deploying
to
Integration-Test
GitHub Actions
Failure
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
had a problem deploying
to
Integration-Test
GitHub Actions
Failure
sichanyoo
had a problem deploying
to
Codegen-Build-Test
GitHub Actions
Failure
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
| /* ///////////////////////// | ||
| * TEARDOWN HELPER FUNCTIONS | ||
| * ///////////////////////// | ||
| */ |
There was a problem hiding this comment.
Xcode has a "mark" comment directive that can be used to delineate sections of code, and the marks you create show up in the list of symbols in the dropdown above the editor.
See: https://www.avanderlee.com/xcode/xcode-mark-line-comment/
There was a problem hiding this comment.
Changed as suggested.
| case TokenFileDeletionFailed(String) | ||
| } | ||
|
|
||
| enum IdentityPoolStatus { |
There was a problem hiding this comment.
Swift convention is that enum cases should be lowerCamelCase.
There was a problem hiding this comment.
Changed as suggested.
| // This wait is necessary for role creation to propagate everywhere | ||
| let seconds = 10 | ||
| let NSEC_PER_SEC = 1_000_000_000 | ||
| try await Task.sleep(nanoseconds: UInt64(seconds * NSEC_PER_SEC)) |
There was a problem hiding this comment.
Also see if there is a waiter defined on the service for the resource you are waiting on.
Check the Kinesis integration test: it uses a predefined waiter and manual waiting in two stages of the test to ensure conditions are met before proceeding.
sichanyoo
had a problem deploying
to
Integration-Test
GitHub Actions
Failure
sichanyoo
had a problem deploying
to
Codegen-Build-Test
GitHub Actions
Failure
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Codegen-Build-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Codegen-Build-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
sichanyoo
temporarily deployed
to
Integration-Test
GitHub Actions
Inactive
Issue #
#1189
#1194
Description of changes
Integration test structure overview:
STS::getCallerIdentityusing a STS client that has just the STS web identity credentials provider configuredNew/existing dependencies impact assessment, if applicable
Conventional Commits
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.