STS does not respect ca cert setting

[phoebusm]

Describe the bug

aws-sdk-cpp/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp

Line 110 in e9d0d24

m_client = Aws::MakeUnique<Aws::Internal::STSCredentialsClient>(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config);

The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting

Expected Behavior

All authentication respects caPath and caFile setting.

Current Behavior

The SDK Client Configuration allows user to set caPath and caFIle but STS authentication doesn't use/respect the setting

Reproduction Steps

In the below code, caFile is pointed to wrong ca file. Yet STS auth should still be able to return a valid token yet the connection to the storage should fail.

Aws::Client::ClientConfiguration config;
config.caFile = "WRONG_CA_FILE";
Aws::S3::S3Client s3_client(config, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never, false);
Aws::S3::Model::ListObjectsV2Request objects_request;
objects_request.WithBucket("abc");
auto list_objects_outcome = s3_client.ListObjectsV2(objects_request);

Possible Solution

No response

Additional Information/Context

No response

AWS CPP SDK version used

1.11.201

Compiler and Version used

gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Operating System and version

Ubuntu 22.04

[jmklix]

Thanks for pointing this out to us. This is a problem with how the sts client was written, and will require a significant refactor of the sts client. This has been added to our backlog, but this is not something that will get completed this quarter. I don't have a timeline for when fixed, but I will update here when it does. Sorry for the delay

[ryansburgoyne]

It appears I am not able to use IRSA in my EKS cluster for my C++ application because it requires a call to STS to fetch credentials using a web identity token. Is there any workaround?

[jmklix]

@ryansburgoyne could you open a discussion and provide more details about what exactly you are trying to do?

[jmklix]

related issue: #1963

[teo-tsirpanis]

Blocked by adding support for passing ClientConfiguration to DefaultCredentialsProviderChain, which I will do after #3113 and #3116 get merged. After that, you can create a credentials provider with the client config yourself, and pass it to the client.

The real root cause of the issue would be fixed if curl's autodetection of the CA bundle happened also at runtime instead of only compile-time. Anyone interested can suggest it, if this has not already happened.