From 8cec055234860ac73e554d4841a64a896d4d2e62 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Wed, 19 Jun 2024 14:51:01 +0200 Subject: [PATCH 1/3] set global region when calling sts Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- pkg/issuer/acme/dns/route53/route53.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/issuer/acme/dns/route53/route53.go b/pkg/issuer/acme/dns/route53/route53.go index 36e375af4..ea978affa 100644 --- a/pkg/issuer/acme/dns/route53/route53.go +++ b/pkg/issuer/acme/dns/route53/route53.go @@ -82,7 +82,6 @@ func (d *sessionProvider) GetSession(ctx context.Context) (aws.Config, error) { switch { case d.Role != "" && d.WebIdentityToken != "": d.log.V(logf.DebugLevel).Info("using assume role with web identity") - optFns = append(optFns, config.WithRegion(d.Region)) case useAmbientCredentials: d.log.V(logf.DebugLevel).Info("using ambient credentials") // Leaving credentials unset results in a default credential chain being @@ -98,9 +97,14 @@ func (d *sessionProvider) GetSession(ctx context.Context) (aws.Config, error) { return aws.Config{}, fmt.Errorf("unable to create aws config: %s", err) } + // Explicitly set the region to aws-global so that AssumeRole can be used + // with the global sts endpoint. + stsCfg := cfg.Copy() + stsCfg.Region = "aws-global" + if d.Role != "" && d.WebIdentityToken == "" { d.log.V(logf.DebugLevel).WithValues("role", d.Role).Info("assuming role") - stsSvc := d.StsProvider(cfg) + stsSvc := d.StsProvider(stsCfg) result, err := stsSvc.AssumeRole(ctx, &sts.AssumeRoleInput{ RoleArn: aws.String(d.Role), RoleSessionName: aws.String("cert-manager"), @@ -119,7 +123,7 @@ func (d *sessionProvider) GetSession(ctx context.Context) (aws.Config, error) { if d.Role != "" && d.WebIdentityToken != "" { d.log.V(logf.DebugLevel).WithValues("role", d.Role).Info("assuming role with web identity") - stsSvc := d.StsProvider(cfg) + stsSvc := d.StsProvider(stsCfg) result, err := stsSvc.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityInput{ RoleArn: aws.String(d.Role), RoleSessionName: aws.String("cert-manager"), From 537e71ee639a41887e93b0fd151bf063c4730536 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Wed, 19 Jun 2024 15:00:37 +0200 Subject: [PATCH 2/3] verify that the "aws-global" is used for sts in test Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- pkg/issuer/acme/dns/route53/route53_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/issuer/acme/dns/route53/route53_test.go b/pkg/issuer/acme/dns/route53/route53_test.go index cf60efbc7..d03bb988e 100644 --- a/pkg/issuer/acme/dns/route53/route53_test.go +++ b/pkg/issuer/acme/dns/route53/route53_test.go @@ -253,7 +253,8 @@ func TestAssumeRole(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { - provider := makeMockSessionProvider(func(aws.Config) StsClient { + provider := makeMockSessionProvider(func(cfg aws.Config) StsClient { + assert.Equal(t, "aws-global", cfg.Region) // verify that the global sts endpoint is used return c.mockSTS }, c.key, c.secret, c.region, c.role, c.webIdentityToken, c.ambient) cfg, err := provider.GetSession(context.TODO()) From cad5470a562b8d2f831e2c4a8f10527bf45b2c3a Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Wed, 19 Jun 2024 17:15:07 +0200 Subject: [PATCH 3/3] improve aws GetSession comments that explain when and why regions have to be set Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- pkg/issuer/acme/dns/route53/route53.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/issuer/acme/dns/route53/route53.go b/pkg/issuer/acme/dns/route53/route53.go index ea978affa..0cdec3fb5 100644 --- a/pkg/issuer/acme/dns/route53/route53.go +++ b/pkg/issuer/acme/dns/route53/route53.go @@ -97,8 +97,10 @@ func (d *sessionProvider) GetSession(ctx context.Context) (aws.Config, error) { return aws.Config{}, fmt.Errorf("unable to create aws config: %s", err) } - // Explicitly set the region to aws-global so that AssumeRole can be used - // with the global sts endpoint. + // For backwards compatibility with cert-manager <= 1.14, where we used the aws-sdk-go v1 + // library, we configure the SDK here to use the global sts endpoint. This was the default + // behaviour of the SDK v1 library, but has to be explicitly set in the v2 library. For the + // route53 calls, we use the region provided by the user (see below). stsCfg := cfg.Copy() stsCfg.Region = "aws-global" @@ -142,7 +144,8 @@ func (d *sessionProvider) GetSession(ctx context.Context) (aws.Config, error) { // If ambient credentials aren't permitted, always set the region, even if to // empty string, to avoid it falling back on the environment. - // this has to be set after session is constructed + // This has to be set after session is constructed, as a different region (aws-global) + // is used for the STS service. if d.Region != "" || !useAmbientCredentials { cfg.Region = d.Region }