Fix Addresses Used in IamAwsProvider #1460
+4
−9
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -31,7 +31,7 @@ | |
| from datetime import timedelta | ||
| from pathlib import Path | ||
| from typing import Callable, cast | ||
| from urllib.parse import urlencode, urlsplit | ||
| from xml.etree import ElementTree as ET | ||
|
|
||
| import certifi | ||
|
|
@@ -44,7 +44,7 @@ | |
|
|
||
| from urllib3.util import Retry, parse_url | ||
|
|
||
| from minio.helpers import sha256_hash | ||
| from minio.signer import sign_v4_sts | ||
| from minio.time import from_iso8601utc, to_amz_date, utcnow | ||
| from minio.xml import find, findtext | ||
|
|
@@ -508,18 +508,13 @@ def retrieve(self) -> Credentials: | |
| res = _urlopen( | ||
| self._http_client, | ||
| "GET", | ||
| url+"/latest/meta-data/iam/security-credentials/", | ||
| headers=headers, | ||
| ) | ||
| role_names = res.data.decode("utf-8").split("\n") | ||
| if not role_names: | ||
| raise ValueError(f"no IAM roles attached to EC2 service {url}") | ||
| url += "/latest/meta-data/iam/security-credentials/" + role_names[0].strip("\r") | ||
|
There was a problem hiding this comment. May be you would need to do to same logic as in line #511 |
||
| if not url: | ||
| raise ValueError("url is empty; this should not happen") | ||
| self._credentials = self.fetch(url, headers=headers) | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This breaks if
custom_endpointis passed. I think you would need to leave it as is.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback!
I noticed the same logic is already applied on
minio-py/minio/credentials/providers.py
Line 501 in 759a5f3
which follows the same pattern used in the Go implementation
https://github.com/minio/minio-go/blob/ab1c2fe050a4dd502c863178696a54c44610ca82/pkg/credentials/iam_aws.go#L334
However, the Go implementation has an issue: it doesn’t account for cases where a custom endpoint contains a path. This leads to the assumption that the custom_endpoint doesn’t have a path, which is why I addressed it this way on line 511.
To resolve this, we have two options when a custom_endpoint is passed:
+) in all instances where we manipulate the URL. (essentially what this PR did)Given that the Go implementation itself is inconsistent—sometimes appending directly to the URL and other times parsing the URL—it would be helpful to align on one approach to avoid further confusion and potential issues.
Which approach do you think would be best to adopt moving forward?