Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Addresses Used in IamAwsProvider #1460

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix Addresses Used in IamAwsProvider #1460

wants to merge 2 commits into from
+4 −9

Conversation

sam-mosleh
Copy link

Fixes #1459

balamurugana
balamurugana requested changes Nov 20, 2024
View reviewed changes
minio/credentials/providers.py
path="/latest/meta-data/iam/security-credentials/",
),
),
url+"/latest/meta-data/iam/security-credentials/",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks if custom_endpoint is passed. I think you would need to leave it as is.

Copy link
Author

@sam-mosleh sam-mosleh Nov 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback!

I noticed the same logic is already applied on

minio-py/minio/credentials/providers.py

Line 501 in 759a5f3

url+"/latest/api/token",

which follows the same pattern used in the Go implementation
https://github.com/minio/minio-go/blob/ab1c2fe050a4dd502c863178696a54c44610ca82/pkg/credentials/iam_aws.go#L334

However, the Go implementation has an issue: it doesn’t account for cases where a custom endpoint contains a path. This leads to the assumption that the custom_endpoint doesn’t have a path, which is why I addressed it this way on line 511.

To resolve this, we have two options when a custom_endpoint is passed:

  1. Assume it does not contain a path and use simple string concatenation (+) in all instances where we manipulate the URL. (essentially what this PR did)
  2. Assume it can contain a path and ensure proper handling by using urllib.parse.SplitResult in all usages to safely override the path.

Given that the Go implementation itself is inconsistent—sometimes appending directly to the URL and other times parsing the URL—it would be helpful to align on one approach to avoid further confusion and potential issues.

Which approach do you think would be best to adopt moving forward?

minio/credentials/providers.py
headers=headers,
)
role_names = res.data.decode("utf-8").split("\n")
if not role_names:
raise ValueError(f"no IAM roles attached to EC2 service {url}")
url += "/" + role_names[0].strip("\r")
url += "/latest/meta-data/iam/security-credentials/" + role_names[0].strip("\r")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be you would need to do to same logic as in line #511

@sam-mosleh
Copy link
Author

@balamurugana I totally get that these commits might get rewritten completely depending on the approach you choose, but my OCD brain just couldn’t resist not fixing these linting errors! 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@balamurugana balamurugana balamurugana requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invalid Address Used for IMDSv2
2 participants
@sam-mosleh @balamurugana