Support Endpoint Override for CredentialsProviders #263
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #263 +/- ##
==========================================
+ Coverage 80.50% 80.61% +0.11%
==========================================
Files 33 33
Lines 6099 6140 +41
==========================================
+ Hits 4910 4950 +40
- Misses 1189 1190 +1 ☔ View full report in Codecov by Sentry. |
| /* check environment variable first */ | ||
| struct aws_string *region = aws_credentials_provider_resolve_region_from_env(allocator); | ||
| if (region != NULL && region->len > 0) { | ||
| return region; | ||
| } | ||
|
|
||
| if (profile) { |
There was a problem hiding this comment.
a few lines up, we can leak the region string if it's ""
There was a problem hiding this comment.
the aws_credentials_provider_resolve_region_from_env() function has the same bug
There was a problem hiding this comment.
should we just have an alternate get-env-var function that won't return empty strings?
There was a problem hiding this comment.
oh man, if we're adding new get-env functions, we can fix the terrible API of the current one (bad because it did out-values to handle reporting OOM which we don't do anymore, and bad because it didn't just take char * which forces some users to allocate/cleanup a needless aws_string)
struct aws_string *aws_getenv_nonempty(struct aws_allocator *, const char *); // NULL if missing or ""
struct aws_string *aws_getenv_raw(struct aws_allocator *, const char *); // may be ""
| */ | ||
| AWS_AUTH_API | ||
| int aws_credentials_provider_construct_regional_endpoint( | ||
| int aws_credentials_provider_construct_endpoint( |
There was a problem hiding this comment.
I'm not proposing an options-struct because this is private
But if someone moves this out of private/ and is like "WHY SHOULD I CHANGE IT YOU ALREADY APPROVED THE EXISTING CODE"
then I can point at this comment here and say "NUH UH"
| s_sts_service_env_name, | ||
| s_sts_service_name, | ||
| profile_collection, | ||
| profile)) { | ||
| goto cleanup; |
There was a problem hiding this comment.
if something goes wrong here, we end up setting out_region but not out_endpoint?
is that failure? or is that something we expect to happen?
There was a problem hiding this comment.
Logically, it won't happen since if we resolve the region, we can construct the endpoint. But even if it does happen in the future, we have a fallback: We will check that out_endpoint is not set and then use the global STS endpoint.
source/credentials_provider_sts.c
Outdated
| *out_region = s_resolve_region(allocator, profile); | ||
|
|
||
| if (aws_credentials_provider_construct_endpoint( | ||
| allocator, | ||
| out_endpoint, | ||
| *out_region, |
There was a problem hiding this comment.
code clarity: *out_region could be NULL at this point....
and I see that aws_credentials_provider_construct_endpoint() only requires region sometimes
if region isn't always required, add a comment here to that effect
but if it is always required, maybe early-out if s_resolve_region() returns NULL
| on_finish: | ||
| aws_byte_buf_clean_up(&service_endpoint_buf); | ||
| aws_string_destroy(service_endpoint_str); | ||
| return out_endpoint; |
There was a problem hiding this comment.
there are a lot of paths where NULL is returned, but no aws_raise_error() happened. Is that OK for this helper function?
There was a problem hiding this comment.
Yes, NULL means that there was no endpoint_override configured.
Issue #, if available:
#257
awslabs/aws-crt-swift#311
Description of changes:
Support endpoint override for credentials providers.
The order of resolution for configured endpoint is as follows:
AWS_ENDPOINT_URL_<SERVICE>.<SERVICE>here is the uppercased version of corresponding service identifier in this official list.AWS_ENDPOINT_URL.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.