Skip to content
This repository was archived by the owner on Mar 23, 2026. It is now read-only.

Apply IAM patches when loading STS to avoid wrong access key formats#11931

Merged
dfangl merged 3 commits intomasterfrom
sts/iam-patches
Nov 26, 2024
Merged

Apply IAM patches when loading STS to avoid wrong access key formats#11931
dfangl merged 3 commits intomasterfrom
sts/iam-patches

Conversation

@dfangl
Copy link
Copy Markdown
Member

@dfangl dfangl commented Nov 26, 2024

Motivation

Currently, if we are using STS (especially the assume-role and assume-role-with-web-identity operations) without ever having loaded IAM (e.g. by referencing a non-existent role in a service like AWS Lambda), we do not have the patches applied patching the access key id format.

This leads to access key ids starting with an A and not a L, which leads to the credentials being ignored, unless PARITY_AWS_ACCESS_KEY_ID=1 is set.

IAM and STS are coupled tightly in moto, which is why the patching of IAM affects STS access key ids.

Changes

  • Prevent IAM patches from loading multiple times
  • Apply IAM patches when STS is loaded

@dfangl dfangl requested a review from pinzon as a code owner November 26, 2024 13:46
@dfangl dfangl added this to the 4.0.3 milestone Nov 26, 2024
@dfangl dfangl added the semver: patch Non-breaking changes which can be included in patch releases label Nov 26, 2024
@dfangl dfangl self-assigned this Nov 26, 2024
@dfangl dfangl requested a review from bentsku November 26, 2024 13:46
@github-actions
Copy link
Copy Markdown

github-actions bot commented Nov 26, 2024
edited
Loading

LocalStack Community integration with Pro

  2 files  ±    0    2 suites  ±0   49m 44s ⏱️ - 1h 1m 17s
977 tests  - 2 750  828 ✅  - 2 553  149 💤  - 197  0 ❌ ±0 
979 runs   - 2 750  828 ✅  - 2 553  151 💤  - 197  0 ❌ ±0 

Results for commit fbcb484. ± Comparison against base commit 5f19fbc.

This pull request removes 2756 and adds 6 tests. Note that renamed tests count towards both. 
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_lambda_dynamodb
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_opensearch_crud
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_search_books
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_setup
tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_destination_sns
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_infra
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_prefill_dynamodb_table
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input0-SUCCEEDED]
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input1-SUCCEEDED]
…

tests.aws.services.lambda_.test_lambda_common.TestLambdaCallingLocalstack ‑ test_manual_endpoint_injection[nodejs22.x]
tests.aws.services.lambda_.test_lambda_common.TestLambdaRuntimesCommon ‑ test_echo_invoke[nodejs22.x]
tests.aws.services.lambda_.test_lambda_common.TestLambdaRuntimesCommon ‑ test_introspection_invoke[nodejs22.x]
tests.aws.services.lambda_.test_lambda_common.TestLambdaRuntimesCommon ‑ test_runtime_wrapper_invoke[nodejs22.x]
tests.aws.services.lambda_.test_lambda_common.TestLambdaRuntimesCommon ‑ test_uncaught_exception_invoke[nodejs22.x]
tests.aws.services.lambda_.test_lambda_runtimes.TestNodeJSRuntimes ‑ test_invoke_nodejs_es6_lambda[nodejs22.x]

♻️ This comment has been updated with latest results.

bentsku
bentsku approved these changes Nov 26, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@bentsku bentsku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks a lot for addressing this! 🙏 neat and safe fix! :shipit:
For additional context, this issue was raised by using ESM and DynamoDB with non default credentials, ESM calling sts.AssumeRole and getting ASIA... credentials, leading to ESM trying to get DynamoDB records in the default account. It was hard to reproduce in our tests, as we always load IAM first 😄

@dfangl dfangl merged commit e5aa33d into master Nov 26, 2024
@dfangl dfangl deleted the sts/iam-patches branch November 26, 2024 18:01
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pinzon pinzon Awaiting requested review from pinzon

1 more reviewer

@bentsku bentsku bentsku approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dfangl dfangl

Labels

semver: patch Non-breaking changes which can be included in patch releases

Projects

None yet

Milestone

4.0.3

Development

Successfully merging this pull request may close these issues.

2 participants

@dfangl @bentsku