Fix credential provider chain for aws_request_signing filter#45644
Open
freedomljc wants to merge 2 commits into
Open
Fix credential provider chain for aws_request_signing filter#45644freedomljc wants to merge 2 commits into
freedomljc wants to merge 2 commits into
Conversation
Signed-off-by: Junchao Lyu <ljc0711@gmail.com>
Signed-off-by: Junchao Lyu <ljc0711@gmail.com>
freedomljc
force-pushed
the
fixCredentialProviderChain
branch
from
5b3bde6 to
633ac5a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It's to fix #45643: AWS AssumeRole provider hangs indefinitely when using WebIdentity source credentials in EKS
Here's the root Cause:
To fetch the base credentials needed to sign the STS AssumeRole request,
createAssumeRoleCredentialsProviderinstantiates an innerCommonCredentialsProviderChain. However, setupSubscriptions() is never called on this newly created inner chain.Because subscriptions are never set up, the inner chain fails to register its
CredentialSubscriberCallbackswith any underlying asynchronous metadata providers (likeWebIdentityCredentialsProviderorInstanceProfileCredentialsProvider). When the background metadata fetch eventually succeeds (e.g., STS successfully exchanges the EKS pod's OIDC token for web identity credentials), the base provider firesonCredentialUpdate(). But because there are no registered subscribers, the inner chain is never notified.Consequently, the pending callbacks attached by the SigV4SignerImpl (via
addCallbackIfChainCredentialsPending) are never executed, and the outbound AWS request is left paused indefinitely waiting for credentials to resolve.Commit Message:
Additional Description:
Risk Level: low
Testing: Have validated the fix: After applying the change, the aws_request_sigining filter would be able to fetch aws credentials.
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]