remove todo from vault-238

SylvainSenechal · SylvainSenechal · commit 603e164a6ac7 · 2026-01-19T18:25:32.000+01:00
ISSUE: BB-730
diff --git a/bin/ensureServiceUser b/bin/ensureServiceUser
@@ -164,9 +164,10 @@ class PolicyHandler extends BaseHandler {
                 const res = await this.stsClient.send(command);
                 accountId = res.Account;
             } catch (err) {
-                // Workaround a Vault issue on 8.3 branch
-                // https://scality.atlassian.net/browse/VAULT-238
-                accountId = '000000000000';
+                this.log.error('failed to get caller identity', {
+                    error: errorUtils.reshapeExceptionError(err),
+                });
+                throw err;
             }
         }
 
diff --git a/extensions/utils/VaultClientWrapper.js b/extensions/utils/VaultClientWrapper.js
@@ -1,5 +1,5 @@
 const { fromTemporaryCredentials } = require('@aws-sdk/credential-providers');
-const { errorUtils } = require('arsenal');
+const { GetCallerIdentityCommand } = require('@aws-sdk/client-sts');
 
 const { authTypeAssumeRole, authTypeNone } = require('../../lib/constants');
 const VaultClientCache = require('../../lib/clients/VaultClientCache');
@@ -44,10 +44,10 @@ class VaultClientWrapper {
         }
 
         const stsWithCreds = CredentialsManager.resolveExternalFileSync(sts, this.logger);
+        const endpoint = `${sts.transport || 'https'}://${sts.host}:${sts.port}`;
 
-        // FIXME: works with vault 7.10 but not 8.3 (return 501)
-        // https://scality.atlassian.net/browse/VAULT-238
-        this._tempCredsPromise = Promise.resolve({ Account: '000000000000' })
+        const getCallerIdentity = new GetCallerIdentityCommand({});
+        this._tempCredsPromise = stsWithCreds.send(getCallerIdentity)
             .then(res => {
                 const roleArn = `arn:aws:iam::${res.Account}:role/${roleName}`;
                 const roleSessionName = `${this._clientId}`;
@@ -57,50 +57,43 @@ class VaultClientWrapper {
                     secretAccessKey: stsWithCreds.secretKey,
                 };
 
-                // Create a credential provider that assumes the role
-                return fromTemporaryCredentials({
-                    masterCredentials,
+                const creds = fromTemporaryCredentials({
                     params: {
                         RoleArn: roleArn,
                         RoleSessionName: roleSessionName,
-                        // default expiration: 1 hour
                     },
                     clientConfig: {
-                        endpoint: `${this._transport}://${sts.host}:${sts.port}`,
-                        region: 'us-east-1',
-                        tls: this._transport === 'https',
-                        maxAttempts: 1,
-                        requestHandler: {
-                            httpAgent: this._transport === 'http' ? this.stsAgent : undefined,
-                            httpsAgent: this._transport === 'https' ? this.stsAgent : undefined,
-                            connectionTimeout: 0,
-                            socketTimeout: 0,
-                        },
+                        endpoint,
+                        region: sts.region,
+                        credentials: masterCredentials,
+                        requestHandler: this.stsAgent,
                     },
                 });
+                return creds();
             })
-            .then(creds => {
-                this._tempCredsPromiseResolved = true;
-                return creds;
+            .then(res => {
+                this._tempCreds = {
+                    accessKey: res.accessKeyId,
+                    secretKey: res.secretAccessKey,
+                    sessionToken: res.sessionToken,
+                };
             })
             .catch(err => {
-                if (err.retryable) {
-                    const retryDelayMs = 5000;
-
-                    this.logger.error('could not set up temporary credentials, retrying', {
-                        retryDelayMs,
-                        error: errorUtils.reshapeExceptionError(err),
-                    });
-
-                    setTimeout(() => this._storeAWSCredentialsPromise(), retryDelayMs);
-                } else {
-                    this.logger.error('could not set up temporary credentials', {
-                        error: errorUtils.reshapeExceptionError(err),
-                    });
-                }
+                this.logger.error('failed to get temporary credentials', {
+                    error: errorUtils.reshapeExceptionError(err),
+                });
+                throw err;
             });
     }
 
+    getSTSCredentials() {
+        if (this._authConfig.type !== authTypeAssumeRole) {
+            return null;
+        }
+
+        return this._tempCreds;
+    }
+
     getAccountId(canonicalId, cb) {
         this.getAccountIds([canonicalId], (err, res) => {
             if (err) {

Original file line number	Diff line number	Diff line change
`@@ -164,9 +164,10 @@ class PolicyHandler extends BaseHandler {`
`164`	`164`	`const res = await this.stsClient.send(command);`
`165`	`165`	`accountId = res.Account;`
`166`	`166`	`} catch (err) {`
`167`		`- // Workaround a Vault issue on 8.3 branch`
`168`		`- // https://scality.atlassian.net/browse/VAULT-238`
`169`		`- accountId = '000000000000';`
	`167`	`+ this.log.error('failed to get caller identity', {`
	`168`	`+ error: errorUtils.reshapeExceptionError(err),`
	`169`	`+ });`
	`170`	`+ throw err;`
`170`	`171`	`}`
`171`	`172`	`}`
`172`	`173`