feat: STS web identity creds resolver #1949
Conversation
…nerated in AWSSDKIdentity module.
…vice clients used by creds resolvers.
| @@ -4,7 +4,7 @@ included: | |||
| - Sources/Core/AWSSDKCommon/Sources | |||
| - Sources/Core/AWSSDKEventStreamsAuth/Sources | |||
| - Sources/Core/AWSSDKHTTPAuth/Sources | |||
| - Sources/Core/AWSSDKIdentity/Sources | |||
| - Sources/Core/AWSSDKIdentity/Sources/AWSSDKIdentity | |||
There was a problem hiding this comment.
Limits swiftlint to be more specific, so the generated STS client files doesn't get linted.
| @@ -129,12 +129,32 @@ private var runtimeTargets: [Target] { | |||
| ), | |||
| .target( | |||
| name: "AWSSDKHTTPAuth", | |||
| dependencies: [.crt, .smithy, .clientRuntime, .smithyHTTPAuth, "AWSSDKIdentity", "AWSSDKChecksums"], | |||
| dependencies: [.crt, .smithy, .clientRuntime, .smithyHTTPAuth, "AWSSDKChecksums"], | |||
There was a problem hiding this comment.
The generated STS client in AWSSDKIdentity depends on AWSClientRuntime.
That caused this circular dependency:
AWSSDKIdentity => AWSClientRuntime => AWSSDKHTTPAuth => AWSSDKIdentity
Removed AWSSDKIdentity dependency from AWSSDKHTTPAuth as needed.
| dependencies: [ | ||
| .crt, | ||
| .smithy, | ||
| .clientRuntime, | ||
| .smithyIdentity, | ||
| .smithyIdentityAPI, | ||
| .smithyHTTPAPI, | ||
| .awsSDKCommon, | ||
| "AWSClientRuntime", | ||
| .smithyRetriesAPI, | ||
| .smithyRetries, | ||
| .smithyEventStreamsAPI, | ||
| .smithyEventStreamsAuthAPI, | ||
| .smithyEventStreams, | ||
| .smithyChecksumsAPI, | ||
| .smithyChecksums, | ||
| .smithyWaitersAPI, | ||
| .awsSDKHTTPAuth, | ||
| .awsSDKEventStreamsAuth, | ||
| .awsSDKChecksums, | ||
| ], |
There was a problem hiding this comment.
Generated STS client in AWSSDKIdentity module needs dependencies that service modules use.
| @@ -160,7 +180,7 @@ private var runtimeTestTargets: [Target] { | |||
| ), | |||
| .testTarget( | |||
| name: "AWSSDKEventStreamsAuthTests", | |||
| dependencies: ["AWSClientRuntime", "AWSSDKEventStreamsAuth", .smithyStreams, .smithyTestUtils], | |||
| dependencies: ["AWSClientRuntime", "AWSSDKEventStreamsAuth", "AWSSDKIdentity", .smithyStreams, .smithyTestUtils], | |||
There was a problem hiding this comment.
This was the only spot where AWSSDKIdentity module was actually needed under AWSSDKHTTPAuth/. So moved dependency directly to test module instead.
| @@ -97,7 +97,7 @@ class STSAssumeRoleAWSCredentialIdentityResolverTests: XCTestCase { | |||
| )) | |||
|
|
|||
| // Construct STS client wih assume-role credentials provider. | |||
| let underlyingResolver = try DefaultAWSCredentialIdentityResolverChain() | |||
| let underlyingResolver = DefaultAWSCredentialIdentityResolverChain() | |||
There was a problem hiding this comment.
Remove unnecessary try, now that default chain init doesn't do any throwing operation. Not related to any of the changes in the PR; just done here because I saw build warning.
| @@ -0,0 +1,82 @@ | |||
| // | |||
There was a problem hiding this comment.
Generated STS client file.
There was a problem hiding this comment.
Generated STS client file.
There was a problem hiding this comment.
Generated STS client file.
| @@ -71,7 +71,8 @@ data class AwsService( | |||
| val modelFile: File, | |||
There was a problem hiding this comment.
Adds STS client generation into AWSSDKIdentity, as well as visibility codegen setting for the client.
| { return ( STSWebIdentityAWSCredentialIdentityResolver(source: .env)) }, | ||
| { return ( STSWebIdentityAWSCredentialIdentityResolver(source: .configFile)) }, | ||
| { return ( ECSAWSCredentialIdentityResolver()) }, |
There was a problem hiding this comment.
The old STSWebIdentity creds resolver that depends on CRT tried to resolve from env, then from config file. New ordering with new implementation uses same ordering.
…ume role APIs needed for credential resolvers.
| @@ -0,0 +1,31 @@ | |||
| package software.amazon.smithy.aws.swift.codegen.customization.credentialresolverservices | |||
There was a problem hiding this comment.
Model integration to remove all operations except assume role & assumer role web identity when generating internal STS client for credential resolvers.
…e clients. Also, separate InternalAWSSTS into its own target in Package.Base.txt.
…inversion principle (DIP) so that AWSSDKIdentity doesn't directly depend on the internal STS client.
…into auth options returned by auth scheme resolver.
…eme resolver codegen & add codegen for IdentityProvidingSTSClient struct in internal AWS STS target.
| .target( | ||
| name: "InternalAWSSTS", | ||
| dependencies: [ | ||
| .clientRuntime, | ||
| .awsClientRuntime, | ||
| .smithyRetriesAPI, | ||
| .smithyRetries, | ||
| .smithy, | ||
| .smithyIdentity, | ||
| .smithyIdentityAPI, | ||
| .smithyEventStreamsAPI, | ||
| .smithyEventStreamsAuthAPI, | ||
| .smithyEventStreams, | ||
| .smithyChecksumsAPI, | ||
| .smithyChecksums, | ||
| .smithyWaitersAPI, | ||
| .awsSDKCommon, | ||
| .awsSDKIdentity, | ||
| .awsSDKHTTPAuth, | ||
| .awsSDKEventStreamsAuth, | ||
| .awsSDKChecksums, | ||
| ], | ||
| path: "Sources/Core/AWSSDKIdentity/Sources/InternalAWSSTS" |
There was a problem hiding this comment.
InternalAWSSTS is separated out into its own target.
| @@ -199,6 +223,7 @@ private func target(_ service: String) -> Target { | |||
| .awsSDKHTTPAuth, | |||
| .awsSDKEventStreamsAuth, | |||
| .awsSDKChecksums, | |||
| "InternalAWSSTS", | |||
There was a problem hiding this comment.
All services depend on InternalAWSSTS, used for credential resolution as needed.
| @@ -0,0 +1,24 @@ | |||
| // | |||
There was a problem hiding this comment.
This protocl is what allows dependency inversion. The actual IdentityProvidingSTSClient struct that conforms to the protocol here will be generated under InternalAWSSTS. Then, the auth scheme resolver of each public service module will construct an instance of the IdentityProvidingSTSClient struct and save it to auth option's identityProperties. Over in STS web identity cred resolver in AWSSDKIdentity, we just use the protocol to call the getCredentialsWithWebIdentity. This allows AWSSDKIdentity to use InternalAWSSTS without having direct dependency.
| public enum InternalClientKeys { | ||
| /// The STS client to be used in credential resolution. | ||
| public static let internalSTSClientKey = AttributeKey<any IdentityProvidingSTSClient>( | ||
| name: "IdentityProvidingSTSClient" | ||
| ) | ||
| } |
There was a problem hiding this comment.
This attribute key is used by auth scheme resolvers (generated for each public service module) to save an instance of IdentityProvidingSTSClient into identityProperties attributes of auth option.
| @@ -0,0 +1,42 @@ | |||
| // | |||
There was a problem hiding this comment.
Generated STS client file. This is the concrete implementation of IdenttiyProvidingSTSClient protocol. It constructs an instance of the internal STS client generated in InternalAWSSTS target, uses it to fetch creds, and returns AWSCredentialIdentity.
| AuthSchemeResolverGenerator { authOptionName, writer -> | ||
| writer.write( | ||
| "$authOptionName.identityProperties.set(key: \$N.internalSTSClientKey, value: \$N())", | ||
| AWSSDKIdentityTypes.InternalClientKeys, | ||
| InternalClientTypes.IdentityProvidingSTSClient, | ||
| ) | ||
| }.render(ctx) |
There was a problem hiding this comment.
This is where we use the new extension point added in companion smithy-swift PR. Allows us to construct & add IdentityProvidingSTSClient struct to identityProperties, without leaking type info in generic smithy codegen.
| val INTERNAL_AWS_STS = | ||
| SwiftDependency( | ||
| "InternalAWSSTS", | ||
| "main", | ||
| "0.0.1", | ||
| "aws-sdk-swift", | ||
| "../../../aws-sdk-swift", | ||
| "InternalAWSSTS", | ||
| SwiftDependency.DistributionMethod.SPR, | ||
| ) |
There was a problem hiding this comment.
New target that contains internal STS client generated for credential resolution purposes.
| @@ -0,0 +1,100 @@ | |||
| package software.amazon.smithy.aws.swift.codegen.customization.credentialresolverservices | |||
There was a problem hiding this comment.
Customization to generate IdentityProvidingSTSClient struct under InternalAWSSTS.
| @@ -0,0 +1,43 @@ | |||
| package software.amazon.smithy.aws.swift.codegen.customization.credentialresolverservices | |||
There was a problem hiding this comment.
The model integration that removes unused operations from internal service clients. For STS, we only need assumeRole and assumeRoleWithWebIdentity. Reduces runtime module size.
This reverts commit e328aa1.
...Tests/Services/AWSSTSIntegrationTests/STSWebIdentityAWSCredentialIdentityResolverTests.swift
Show resolved
Hide resolved
…staged for release.
Companion PR:
Issue #
2380
Description of changes
IdentityProvisingSTSClientstruct instance into auth option'sidentityProperties.New/existing dependencies impact assessment, if applicable
Conventional Commits
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.