Skip to content

add account id to supproted identity providers #3289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbiscigl merged 1 commit into from
Feb 10, 2025
Merged

add account id to supproted identity providers #3289

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions generated/src/aws-cpp-sdk-s3-crt/include/aws/s3-crt/S3ExpressIdentity.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,11 @@ namespace Aws {
return getExpiration();
}

Aws::Crt::Optional<Aws::String> accountId() const override
{
return Aws::Crt::Optional<Aws::String>{};
}


private:
Aws::String m_accessKeyId;
Expand Down
5 changes: 5 additions & 0 deletions generated/src/aws-cpp-sdk-s3/include/aws/s3/S3ExpressIdentity.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,11 @@ namespace Aws {
return getExpiration();
}

Aws::Crt::Optional<Aws::String> accountId() const override
{
return Aws::Crt::Optional<Aws::String>{};
}


private:
Aws::String m_accessKeyId;
Expand Down
43 changes: 42 additions & 1 deletion src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentials.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,28 @@ namespace Aws
{
}

/**
* Initializes object with accessKeyId, secretKey, sessionToken, expiration date and account Id.
*/
AWSCredentials(const Aws::String& accessKeyId,
Copy link
Copy Markdown
Contributor

@sbera87 sbera87 Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same needs to be extended to AwsCredentialIdentityBase.h and all smithy creds classes for completion

Copy link
Copy Markdown
Contributor Author

@sbiscigl sbiscigl Feb 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we return empty by default in smithy, i dont follow this comment, we only override when it is needed, and it is only needed on AwsCredentialIdentity

const Aws::String& secretKey,
const Aws::String& sessionToken,
Aws::Utils::DateTime expiration,
const Aws::String& accountId)
: m_accessKeyId(accessKeyId),
m_secretKey(secretKey),
m_sessionToken(sessionToken),
m_expiration(expiration),
m_accountId(accountId) {}

bool operator == (const AWSCredentials& other) const
{
return m_accessKeyId == other.m_accessKeyId
&& m_secretKey == other.m_secretKey
&& m_sessionToken == other.m_sessionToken
&& m_expiration == other.m_expiration;
&& m_expiration == other.m_expiration
&& m_accountId == other.m_accountId;

}

bool operator != (const AWSCredentials& other) const
Expand Down Expand Up @@ -109,6 +125,14 @@ namespace Aws
return m_expiration;
}

/**
* Gets the underlying account id
*/
inline const Aws::String& GetAccountId() const
{
return m_accountId;
}

/**
* Sets the underlying access key credential. Copies from parameter accessKeyId.
*/
Expand All @@ -133,6 +157,14 @@ namespace Aws
m_sessionToken = sessionToken;
}

/**
* Sets the underlying account id. Copies from parameter accountId
*/
inline void SetAccountId(const Aws::String& accountId)
{
m_accountId = accountId;
}


/**
* Sets the underlying access key credential. Copies from parameter accessKeyId.
Expand All @@ -158,6 +190,14 @@ namespace Aws
m_sessionToken = sessionToken;
}

/**
* Sets the underlying account id. Copies from parameter accountId
*/
inline void SetAccountId(const char* accountId)
{
m_accountId = accountId;
}

/**
* Sets the expiration date of the credential
*/
Expand All @@ -171,6 +211,7 @@ namespace Aws
Aws::String m_secretKey;
Aws::String m_sessionToken;
Aws::Utils::DateTime m_expiration;
Aws::String m_accountId;
Copy link
Copy Markdown
Contributor

@sbera87 sbera87 Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make this optional. so that its easy to check validity for the new field. Since this is not a required field

Copy link
Copy Markdown
Contributor Author

@sbiscigl sbiscigl Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

expiration is optional and we treat it the same way, so i would prefer to treat this the same rather than introduce crt optional to this

};
}
}
12 changes: 9 additions & 3 deletions src/aws-cpp-sdk-core/include/smithy/identity/identity/AwsCredentialIdentity.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,20 +12,26 @@ namespace smithy {
AwsCredentialIdentity(const Aws::String& accessKeyId,
const Aws::String& secretAccessKey,
const Aws::Crt::Optional<Aws::String>& sessionToken,
const Aws::Crt::Optional<AwsIdentity::DateTime>& expiration)
: m_accessKeyId(accessKeyId), m_secretAccessKey(secretAccessKey),
m_sessionToken(sessionToken), m_expiration(expiration) {}
const Aws::Crt::Optional<AwsIdentity::DateTime>& expiration,
const Aws::Crt::Optional<Aws::String>& accountId)
: m_accessKeyId(accessKeyId),
m_secretAccessKey(secretAccessKey),
m_sessionToken(sessionToken),
m_expiration(expiration),
m_accountId(accountId) {}

Aws::String accessKeyId() const override;
Aws::String secretAccessKey() const override;
Aws::Crt::Optional<Aws::String> sessionToken() const override;
Aws::Crt::Optional<AwsIdentity::DateTime> expiration() const override;
Aws::Crt::Optional<Aws::String> accountId() const override;

protected:
Aws::String m_accessKeyId;
Aws::String m_secretAccessKey;
Aws::Crt::Optional<Aws::String> m_sessionToken;
Aws::Crt::Optional<AwsIdentity::DateTime> m_expiration;
Aws::Crt::Optional<Aws::String> m_accountId;
};
}

Expand Down
3 changes: 2 additions & 1 deletion src/aws-cpp-sdk-core/include/smithy/identity/identity/AwsCredentialIdentityBase.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ namespace smithy {
virtual Aws::String accessKeyId() const = 0;
virtual Aws::String secretAccessKey() const = 0;
virtual Aws::Crt::Optional<Aws::String> sessionToken() const = 0;
virtual Aws::Crt::Optional<AwsIdentity::DateTime> expiration() const override = 0 ;
virtual Aws::Crt::Optional<AwsIdentity::DateTime> expiration() const override = 0;
virtual Aws::Crt::Optional<Aws::String> accountId() const override = 0;
};
}
4 changes: 4 additions & 0 deletions src/aws-cpp-sdk-core/include/smithy/identity/identity/AwsIdentity.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,9 @@ namespace smithy {
virtual Aws::Crt::Optional<DateTime> expiration() const {
return Aws::Crt::Optional<DateTime>();
};

virtual Aws::Crt::Optional<Aws::String> accountId() const {
Copy link
Copy Markdown
Contributor

@sbera87 sbera87 Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not return by const reference?

Copy link
Copy Markdown
Contributor Author

@sbiscigl sbiscigl Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we return expiration by value, why should we make it different for accountId?

Copy link
Copy Markdown
Contributor

@SergeyRyabinin SergeyRyabinin Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's return by value,
yes, it is an additional copy, but it saves us from not being able to override this class with some different implementation that computes account id at runtime only and never stores it as a member variable.

return Aws::Crt::Optional<Aws::String>{};
}
};
}
4 changes: 4 additions & 0 deletions src/aws-cpp-sdk-core/include/smithy/identity/identity/impl/AwsCredentialIdentityImpl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,8 @@ namespace smithy {
inline Aws::Crt::Optional<AwsIdentity::DateTime> AwsCredentialIdentity::expiration() const {
return m_expiration;
}

inline Aws::Crt::Optional<Aws::String> AwsCredentialIdentity::accountId() const {
return m_sessionToken;
}
}
9 changes: 6 additions & 3 deletions ...k-core/include/smithy/identity/resolver/built-in/AwsCredentialsProviderIdentityResolver.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,12 @@ namespace smithy

const auto fetchedCreds = m_credentialsProvider->GetAWSCredentials();

auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("DefaultAwsCredentialIdentityResolver",
fetchedCreds.GetAWSAccessKeyId(), fetchedCreds.GetAWSSecretKey(),
fetchedCreds.GetSessionToken(), fetchedCreds.GetExpiration());
auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("AwsCredentialsProviderIdentityResolver",
fetchedCreds.GetAWSAccessKeyId(),
fetchedCreds.GetAWSSecretKey(),
fetchedCreds.GetSessionToken(),
fetchedCreds.GetExpiration(),
fetchedCreds.GetAccountId());

return {std::move(smithyCreds)};
}
Expand Down
3 changes: 2 additions & 1 deletion ...sdk-core/include/smithy/identity/resolver/built-in/DefaultAwsCredentialIdentityResolver.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ namespace smithy {
legacyCreds.GetAWSAccessKeyId(),
legacyCreds.GetAWSSecretKey(),
legacyCreds.GetSessionToken().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken(),
legacyCreds.GetExpiration());
legacyCreds.GetExpiration(),
legacyCreds.GetAccountId().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken());

return ResolveIdentityFutureOutcome(std::move(smithyCreds));
}
Expand Down
9 changes: 6 additions & 3 deletions ...-sdk-core/include/smithy/identity/resolver/built-in/SimpleAwsCredentialIdentityResolver.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,12 @@ namespace smithy
AWS_UNREFERENCED_PARAM(identityProperties);
AWS_UNREFERENCED_PARAM(additionalParameters);

auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("DefaultAwsCredentialIdentityResolver",
m_credentials.GetAWSAccessKeyId(), m_credentials.GetAWSSecretKey(),
m_credentials.GetSessionToken(), m_credentials.GetExpiration());
auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("SimpleAwsCredentialIdentityResolver",
m_credentials.GetAWSAccessKeyId(),
m_credentials.GetAWSSecretKey(),
m_credentials.GetSessionToken().empty()? Aws::Crt::Optional<Aws::String>() : m_credentials.GetSessionToken(),
m_credentials.GetExpiration(),
m_credentials.GetAccountId().empty()? Aws::Crt::Optional<Aws::String>() : m_credentials.GetAccountId());

return {std::move(smithyCreds)};
}
Expand Down
14 changes: 14 additions & 0 deletions src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ using Aws::Utils::Threading::WriterLockGuard;
static const char ACCESS_KEY_ENV_VAR[] = "AWS_ACCESS_KEY_ID";
static const char SECRET_KEY_ENV_VAR[] = "AWS_SECRET_ACCESS_KEY";
static const char SESSION_TOKEN_ENV_VAR[] = "AWS_SESSION_TOKEN";
static const char ACCOUNT_ID_ENV_VAR[] = "AWS_ACCOUNT_ID";
static const char DEFAULT_PROFILE[] = "default";
static const char AWS_PROFILE_ENV_VAR[] = "AWS_PROFILE";
static const char AWS_PROFILE_DEFAULT_ENV_VAR[] = "AWS_DEFAULT_PROFILE";
Expand Down Expand Up @@ -91,6 +92,14 @@ AWSCredentials EnvironmentAWSCredentialsProvider::GetAWSCredentials()
credentials.SetSessionToken(sessionToken);
AWS_LOGSTREAM_DEBUG(ENVIRONMENT_LOG_TAG, "Found sessionToken");
}

const auto accountId = Aws::Environment::GetEnv(ACCOUNT_ID_ENV_VAR);

if (!accountId.empty())
{
credentials.SetAccountId(accountId);
AWS_LOGSTREAM_DEBUG(ENVIRONMENT_LOG_TAG, "Found accountId");
}
}

return credentials;
Expand Down Expand Up @@ -409,6 +418,11 @@ AWSCredentials Aws::Auth::GetCredentialsFromProcess(const Aws::String& process)
credentials.SetExpiration((std::chrono::time_point<std::chrono::system_clock>::max)());
}

if (credentialsView.KeyExists("AccountId"))
{
credentials.SetAccountId(credentialsView.GetString("AccountId"));
}

AWS_LOGSTREAM_DEBUG(PROFILE_LOG_TAG, "Successfully pulled credentials from process credential with AccessKey: " << accessKey << ", Expiration:" << credentialsView.GetString("Expiration"));
return credentials;
}
Expand Down
4 changes: 3 additions & 1 deletion src/aws-cpp-sdk-core/source/auth/GeneralHTTPCredentialsProvider.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,17 +232,19 @@ void GeneralHTTPCredentialsProvider::Reload()
return;
}

Aws::String accessKey, secretKey, token;
Aws::String accessKey, secretKey, token, accountId;
Utils::Json::JsonView credentialsView(credentialsDoc);
accessKey = credentialsView.GetString("AccessKeyId");
secretKey = credentialsView.GetString("SecretAccessKey");
token = credentialsView.GetString("Token");
accountId = credentialsView.GetString("AccountId");
AWS_LOGSTREAM_DEBUG(GEN_HTTP_LOG_TAG, "Successfully pulled credentials from metadata service with access key " << accessKey);

m_credentials.SetAWSAccessKeyId(accessKey);
m_credentials.SetAWSSecretKey(secretKey);
m_credentials.SetSessionToken(token);
m_credentials.SetExpiration(Aws::Utils::DateTime(credentialsView.GetString("Expiration"), Aws::Utils::DateFormat::ISO_8601));
m_credentials.SetAccountId(accountId);
AWSCredentialsProvider::Reload();
}

Expand Down
16 changes: 14 additions & 2 deletions src/aws-cpp-sdk-core/source/config/AWSConfigFileProfileConfigLoader.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ namespace Aws
static const char ACCESS_KEY_ID_KEY[] = "aws_access_key_id";
static const char SECRET_KEY_KEY[] = "aws_secret_access_key";
static const char SESSION_TOKEN_KEY[] = "aws_session_token";
static const char ACCOUNT_ID_KEY[] = "aws_account_id";
static const char SSO_START_URL_KEY[] = "sso_start_url";
static const char SSO_REGION_KEY[] = "sso_region";
static const char SSO_ACCOUNT_ID_KEY[] = "sso_account_id";
Expand Down Expand Up @@ -445,7 +446,7 @@ namespace Aws
}

auto accessKeyIdIter = currentKeyValues.find(ACCESS_KEY_ID_KEY);
Aws::String accessKey, secretKey, sessionToken;
Aws::String accessKey, secretKey, sessionToken, accountId;
if (accessKeyIdIter != currentKeyValues.end())
{
accessKey = accessKeyIdIter->second;
Expand All @@ -467,7 +468,18 @@ namespace Aws
sessionToken = sessionTokenIter->second;
}

profile.SetCredentials(Aws::Auth::AWSCredentials(accessKey, secretKey, sessionToken));
const auto accountIdIter = currentKeyValues.find(ACCOUNT_ID_KEY);

if (accountIdIter != currentKeyValues.end())
{
accountId = accountIdIter->second;
}

profile.SetCredentials(Aws::Auth::AWSCredentials(accessKey,
secretKey,
sessionToken,
DateTime{(std::chrono::time_point<std::chrono::system_clock>::max)()},
accountId));
}

if (!profile.GetSsoStartUrl().empty() || !profile.GetSsoRegion().empty()
Expand Down
11 changes: 11 additions & 0 deletions src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
#include <aws/core/http/HttpClientFactory.h>
#include <aws/core/http/HttpResponse.h>
#include <aws/core/utils/logging/LogMacros.h>
#include <aws/core/utils/ARN.h>
#include <aws/core/utils/StringUtils.h>
#include <aws/core/utils/HashingUtils.h>
#include <aws/core/platform/Environment.h>
Expand Down Expand Up @@ -588,6 +589,15 @@ namespace Aws
{
result.creds.SetExpiration(DateTime(StringUtils::Trim(expirationNode.GetText().c_str()).c_str(), DateFormat::ISO_8601));
}
XmlNode assumeRoleUser = credentialsNode.FirstChild("AssumedRoleUser");
if (!assumeRoleUser.IsNull())
{
XmlNode roleArn = assumeRoleUser.FirstChild("Arn");
if (!roleArn.IsNull())
{
result.creds.SetAccountId(ARN{roleArn.GetText()}.GetAccountId());
}
}
}
}
return result;
Expand Down Expand Up @@ -670,6 +680,7 @@ namespace Aws
creds.SetAWSSecretKey(roleCredentials.GetString("secretAccessKey"));
creds.SetSessionToken(roleCredentials.GetString("sessionToken"));
creds.SetExpiration(roleCredentials.GetInt64("expiration"));
creds.SetAccountId(roleCredentials.GetString("accountId"));
SSOCredentialsClient::SSOGetRoleCredentialsResult result;
result.creds = creds;
return result;
Expand Down
Loading
Loading