From 26d5992bd228bd20f2475cd5a7fd6e06d8d139df Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Sun, 28 Apr 2024 19:16:00 +0100 Subject: [PATCH] Integration: Allow empty regions When using AWS Integration to access global services, the region is not required. PR #40188 introduced a validation of the region which caused troubles when using the integration with empty regions like when accessing the STS endpoint to discover the AWS AccountID. Signed-off-by: Tiago Silva --- lib/integrations/awsoidc/clients.go | 6 ++++-- lib/integrations/awsoidc/clients_test.go | 10 ++++++++++ lib/integrations/awsoidc/clientsv1.go | 7 ++++--- lib/integrations/awsoidc/clientsv1_test.go | 9 +++++++++ 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/lib/integrations/awsoidc/clients.go b/lib/integrations/awsoidc/clients.go index 9704b6f87aa92..18174eb0bddbc 100644 --- a/lib/integrations/awsoidc/clients.go +++ b/lib/integrations/awsoidc/clients.go @@ -64,8 +64,10 @@ func (req *AWSClientRequest) CheckAndSetDefaults() error { return trace.BadParameter("role arn is required") } - if err := awsutils.IsValidRegion(req.Region); err != nil { - return trace.Wrap(err) + if req.Region != "" { + if err := awsutils.IsValidRegion(req.Region); err != nil { + return trace.Wrap(err) + } } return nil diff --git a/lib/integrations/awsoidc/clients_test.go b/lib/integrations/awsoidc/clients_test.go index 26ad5a56221d6..f1c4c75e428d8 100644 --- a/lib/integrations/awsoidc/clients_test.go +++ b/lib/integrations/awsoidc/clients_test.go @@ -45,4 +45,14 @@ func TestCheckAndSetDefaults(t *testing.T) { }).CheckAndSetDefaults() require.NoError(t, err) }) + + t.Run("empty region", func(t *testing.T) { + err := (&AWSClientRequest{ + IntegrationName: "my-integration", + Token: "token", + RoleARN: "some-arn", + Region: "", + }).CheckAndSetDefaults() + require.NoError(t, err) + }) } diff --git a/lib/integrations/awsoidc/clientsv1.go b/lib/integrations/awsoidc/clientsv1.go index 41615bcf1d13c..e062eb709bb62 100644 --- a/lib/integrations/awsoidc/clientsv1.go +++ b/lib/integrations/awsoidc/clientsv1.go @@ -50,10 +50,11 @@ type IntegrationTokenGenerator interface { // NewSessionV1 creates a new AWS Session for the region using the integration as source of credentials. // This session is usable for AWS SDK Go V1. func NewSessionV1(ctx context.Context, client IntegrationTokenGenerator, region string, integrationName string) (*session.Session, error) { - if err := utilsaws.IsValidRegion(region); err != nil { - return nil, trace.Wrap(err) + if region != "" { + if err := utilsaws.IsValidRegion(region); err != nil { + return nil, trace.Wrap(err) + } } - integration, err := client.GetIntegration(ctx, integrationName) if err != nil { return nil, trace.Wrap(err) diff --git a/lib/integrations/awsoidc/clientsv1_test.go b/lib/integrations/awsoidc/clientsv1_test.go index b84acba1b11cc..397d3db054258 100644 --- a/lib/integrations/awsoidc/clientsv1_test.go +++ b/lib/integrations/awsoidc/clientsv1_test.go @@ -91,6 +91,15 @@ func TestNewSessionV1(t *testing.T) { require.Equal(t, aws.String("us-dummy-1"), s.Config.Region) }, }, + { + name: "valid with empty region", + region: "", + integration: "myawsintegration", + expectedErr: require.NoError, + sessionValidator: func(t *testing.T, s *session.Session) { + require.Equal(t, aws.String(""), s.Config.Region) + }, + }, { name: "not found error when integration is missing", region: "us-dummy-1",