feat: support eks endpoints and auth token file in container creds #1093
Conversation
|
A new generated diff is ready to view.
|
|
A new generated diff is ready to view.
|
| // TODO - resolve hostnames | ||
| is Host.Domain -> throw ProviderConfigurationException( | ||
| "The container credentials full URI ($uri) is specified via hostname which is not currently supported.", | ||
| ) |
There was a problem hiding this comment.
Question: Leaving aside the question of full hostname resolution, is it not safe to accept "localhost" here?
There was a problem hiding this comment.
localhost can be remapped. Obviously at that point you already have bigger issues if your attacker has root access to be able to do such things.
We have a ticket for this #476
| @@ -81,7 +78,7 @@ public class EcsCredentialsProvider( | |||
| } | |||
|
|
|||
| val op = SdkHttpOperation.build<Unit, Credentials> { | |||
| serializer = EcsCredentialsSerializer(authToken) | |||
| serializer = EcsCredentialsSerializer(loadAuthToken()) | |||
There was a problem hiding this comment.
style: I would have left this suspend call as an assignment to authToken as it was
| // TODO - resolve hostnames | ||
| is Host.Domain -> throw ProviderConfigurationException( | ||
| "The container credentials full URI ($uri) is specified via hostname which is not currently supported.", | ||
| ) |
There was a problem hiding this comment.
localhost can be remapped. Obviously at that point you already have bigger issues if your attacker has root access to be able to do such things.
We have a ticket for this #476
|
Kudos, SonarCloud Quality Gate passed!
|
|
A new generated diff is ready to view.
|
Description of changes
AWS_CONTAINER_CREDENTIALS_FULL_URIAWS_CONTAINER_AUTHORIZATION_TOKEN_FILEwhich is queried on every credentials retrieval for its auth token.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.