AmazonSecurityTokenServiceClient default constructor searches for credentials

[puddlewitt]

While attempting to use the methodAssumeRoleWithWebIdentityAsync which states ..does not require the use of Amazon Web Services security credentials.. it seems the default constructor for AmazonSecurityTokenServiceClient in fact searches for credentials in a variety of places.

The following will throw Amazon.Runtime.AmazonServiceException : Unable to get IAM security credentials from EC2 Instance Metadata Service.

using var stsClient = new AmazonSecurityTokenServiceClient();

var response = await stsClient.AssumeRoleWithWebIdentityAsync(...)

It seems you must pass an "empty" set of credentials. This can, of course, be achieved in a number of ways. For example...

using var stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());

var response = await stsClient.AssumeRoleWithWebIdentityAsync(...)

This is perhaps a design issue, but maybe just some updated documentation might save developers some time.

Links

https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/SecurityToken/MSecurityTokenServicector.html

https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/SecurityToken/MSecurityTokenServiceAssumeRoleAssumeRoleRequest.html

[ashishdhingra]

Hi @aws/aws-public-suffix-list-shepherds
Good morning. Thanks for opening the issue.

At first glance this appeared to be similar to existing issue #2456 where it was required to pass AnonymousAWSCredentials. In that case, it was determined that SDK should have automatically fallback to anonymous credentials behind the scenes due to "authtype":"none" trait in service model.

However, AssumeRoleWithWebIdentity is generated from the service model at

aws-sdk-net/generator/ServiceModels/sts/sts-2011-06-15.api.json

Line 54 in ddb9b60

"AssumeRoleWithWebIdentity":{

. This doesn't define the "authtype":"none" trait. Per Requesting temporary security credentials in [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)—federation through a web-based identity provider section, this is an unsigned call, meaning that the app does not need to have access to any AWS security credentials to make the call (also as pointed by you). For making unsigned calls, we use AnonymousAWSCredentials, since when using these credentials, the client does not sign the request. It appears that the example on AmazonSecurityTokenServiceClient.AssumeRoleWithWebIdentity (AssumeRoleWithWebIdentityRequest) should be modified to reflect use of AnonymousAWSCredentials. I will review this with the team.

Thanks,
Ashish

[ashishdhingra]

Based on discussion with team, this is a design issue since most of the other operations on this client require to resolve credentials. We need to update the example in the document to reflect use of AnonymousAWSCredentials.

[ashishdhingra]

Looks like the example at AmazonSecurityTokenServiceClient.AssumeRoleWithWebIdentity (AssumeRoleWithWebIdentityRequest) is autogenerated here. The GeneratedSamples.cs file is auto-generated here. Hence, unless "authtype":"none" trait is added in service model and assuming that generator handles this trait, we cannot simply modify the example to use new AnonymousAWSCredentials() while initializing service client.