Skip to content

fix(#8173): Do not return static aws credentials if they can expire #8970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

fix(#8173): Do not return static aws credentials if they can expire #8970

wants to merge 6 commits into from
+55 −83

Conversation

DZDomi
Copy link

@DZDomi DZDomi commented May 22, 2025

Please add a summary of your change

In a previous commit (30728c2) for the function that provides AWS credentials, a crucial if was removed that was responsible for making sure callers of the function GetS3Credentials would not receive expired credentials.

Specifically the removal of the following code caused the problem:

if os.Getenv(awsRoleEnvVar) != "" {
	return nil, nil
}

By not returning nil, nil in any of the code in the specific function and forcing to return some credentials, even if they can expire (for example for IAM roles that are assumed via STS) all functions that would call this function would end up with invalid tokens after some period. This affects specifically long running backup/data mover jobs to cloud storage like S3. This PR addresses this issue, buy checking if the credentials received are able to expire and if yes, will return nil,nil and let the calling functions get their credentials via the default AWS credential provider chain.

Does your change fix a particular issue?

Fixes #8173

Please indicate you've done the following:

@github-actions github-actions bot requested review from reasonerjt and ywk253100 May 22, 2025 21:05
blackpiglet and others added 4 commits May 22, 2025 23:11
@blackpiglet @DZDomi
Support Windows E2E.
ab5e80f 
* Please notice only Kibishii workload support Windows test,
because the other work loads use busybox image, and not support Windows.
* Refactor CreateFileToPod to support Windows.
* Add skip logic for migration test if the version is under 1.16.
* Add main in semver check.

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>
Signed-off-by: dominik <dzdomi@gmail.com>
@blackpiglet @DZDomi
Replace security@vmware.com with velero-security.pdl@broadcom.com. (v…
e1d3d2b 
…mware-tanzu#8954)

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>
Signed-off-by: dominik <dzdomi@gmail.com>
@DZDomi
fix(vmware-tanzu#8173): Do not return static aws credentials if they …
a0dcfb0 
…can expire

Signed-off-by: dominik <dzdomi@gmail.com>
@DZDomi
chore(vmware-tanzu#8173): Add changelog
96a3938 
Signed-off-by: Dominik De Zordo <dzdomi@gmail.com>
Signed-off-by: dominik <dzdomi@gmail.com>
@DZDomi DZDomi force-pushed the fix/aws-credentials-chain branch from 295152f to 96a3938 Compare May 22, 2025 21:11
@DZDomi DZDomi mentioned this pull request May 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reasonerjt reasonerjt Awaiting requested review from reasonerjt

@ywk253100 ywk253100 Awaiting requested review from ywk253100

At least 2 approving reviews are required to merge this pull request.

Assignees

@DZDomi DZDomi

Labels
has-changelog has-e2e-2tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrading to any version beyond 1.12 we are getting error of expired token for backing up data using datamover after 1 hr with IRSA
2 participants
@DZDomi @blackpiglet