Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Sigv4 Endpoint config parameter #494

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Sigv4 Endpoint config parameter #494

wants to merge 1 commit into from

Conversation

kanwren
Copy link

@kanwren kanwren commented Jun 16, 2023

Exposes an endpoint field in the sigv4 config, so that the call to STS when assuming a role with a web identity can use a custom STS endpoint, e.g. a VPC endpoint.

No clients other than the STS one are made from the session config here, so setting Endpoint should be safe, but it can also be a resolver if this is a concern.

Addresses prometheus/prometheus#11710.

@kanwren kanwren force-pushed the kanwren/add-sigv4-endpoint-parameter branch from bccc2dc to 4faba52 Compare June 16, 2023 16:02
@qswinson
Copy link

Any chance on getting this merged? It would be very helpful for AWS VPC deployments that need to keep all network traffic within AWS.

@doris-zhou doris-zhou mentioned this pull request Jan 2, 2024
Open
@kanwren kanwren force-pushed the kanwren/add-sigv4-endpoint-parameter branch from 4faba52 to 3442f5d Compare April 24, 2024 18:49
@rapphil
Copy link

rapphil commented Jul 8, 2024

Thanks for creating this PR.

rapphil
rapphil reviewed Jul 8, 2024
View reviewed changes
sigv4/sigv4.go
@@ -62,6 +62,7 @@ func NewSigV4RoundTripper(cfg *SigV4Config, next http.RoundTripper) (http.RoundT
sess, err := session.NewSessionWithOptions(session.Options{
Config: aws.Config{
Region: aws.String(cfg.Region),
Endpoint: aws.String(cfg.Endpoint),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what you want to change is the property STSRegionalEndpoint and set it to RegionalSTSEndpoint

References:
https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config
https://github.com/aws/aws-sdk-go/blob/main/aws/endpoints/endpoints.go#L186C2-L186C21

Then we don't need to add a configuration because it is fine to always use the regional STS endpoint.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the other hand, I think it is safer to add a configuration parameter whose default value is the current behaviour (global endpoint - value LegacySTSEndpoint). In fact you the zero value will be the legacy endpoint so it is fine to not set if the configuration is not setting.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still we have the benefit of not needing to provide the sts endpoint explicitly and we leave the SDK to do that for us.

@alexgreenbank
Copy link
Member

Hello from the bug scrub.

There is some feedback on this PR that needs attention. Is there any further work required?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rapphil rapphil rapphil left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kanwren @qswinson @rapphil @alexgreenbank