Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM Authentication should provide a way to sign request for the global STS endpoint (eu-east-1) #758

Closed
Amuerte opened this issue Feb 24, 2023 · 5 comments
Closed

AWS IAM Authentication should provide a way to sign request for the global STS endpoint (eu-east-1) #758

Amuerte opened this issue Feb 24, 2023 · 5 comments
Labels
status: ideal-for-contribution An issue that a contributor can help us with type: enhancement A general enhancement
Milestone
3.0.2

Comments

@Amuerte
Copy link

Amuerte commented Feb 24, 2023

Since v3.0.x, the AwsIamAuthentication is using the AWS region computed by software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain, especially to sign the headers for the AWS v4 API, which is a good point.

But in some cases, the Vault instance which is making the proxy call to AWS, is configured to use the global STS endpoint (on us-east-1), which is the default behavior. And for security reasons, Vault is not using the iam_request_url parameter.

As a consequence, you end up with an application deployed in a region A and a Vault instance using the global STS endpoint, without no easy way to use the spring-vault client to login.

Therefore, I think we should provide a way to sign request for the global STS endpoint (eu-east-1) by offering a dedicated option and
I will be glad to help on that.
@mp911de
Copy link
Member

mp911de commented Feb 24, 2023

I'm not too familiar with the AWS API nor the SDK, we would be happy if you would submit a pull request so we can discuss the actual change and make it work in the context of Spring Vault.

@mp911de mp911de added type: enhancement A general enhancement status: ideal-for-contribution An issue that a contributor can help us with labels Feb 24, 2023
@Amuerte
Copy link
Author

Amuerte commented Mar 4, 2023

Changes done in PR #763

@Amuerte Amuerte mentioned this issue Mar 4, 2023
Closed
Amuerte added a commit to Amuerte/spring-vault that referenced this issue Mar 9, 2023
@Amuerte
Support authentication on global region for AWS IAM
d78dd13 
Closes spring-projectsgh-758
@Amuerte
Copy link
Author

Amuerte commented Mar 9, 2023

Hi @mp911de 👋

Any chances to see this shipped with release 3.0.2 ?

mp911de added a commit that referenced this issue Mar 17, 2023
@mp911de
Add support for a singleton Region in AwsIamAuthenticationOptions.
658ec58 
See gh-758
mp911de added a commit that referenced this issue Mar 17, 2023
@mp911de
Add support for a singleton Region in AwsIamAuthenticationOptions.
014e831 
See gh-758
@mp911de mp911de added this to the 3.0.2 milestone Mar 17, 2023
@mp911de
Copy link
Member

mp911de commented Mar 17, 2023

Looking at the PR, we already provide a way to set the AWS region. Having a method named useGlobalRegion that sets the region doesn't make sense as the region can be set already.

@Amuerte
Copy link
Author

Amuerte commented Mar 17, 2023

You are totally right on that point. By digging further, it appears we are blocked because of the use of spring-cloud-vault that does not provide a way to set the region. I will create an issue and a PR there. Thanks for you time.

@Amuerte Amuerte closed this as completed Mar 17, 2023
@Amuerte Amuerte mentioned this issue Mar 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: ideal-for-contribution An issue that a contributor can help us with type: enhancement A general enhancement
Projects
None yet
Milestone
3.0.2
Development

No branches or pull requests
2 participants
@mp911de @Amuerte