Add support for AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE#42
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds fallback support for reading AWS container authorization tokens from a file when the token is not available in the environment variable. This addresses EKS scenarios where tokens are stored in files rather than environment variables.
- Adds a new setting
ContainerAuthorizationTokenFileto read token file paths from environment variables - Implements fallback logic to read tokens from files when environment variable tokens are unavailable
- Maintains backward compatibility by trying environment variable tokens first
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Setting.scala | Adds new ContainerAuthorizationTokenFile setting to parse file paths from environment variables |
| CredentialsProvider.scala | Implements fallback token reading from files with error handling and fallback logic |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| case Some(path) => | ||
| for { | ||
| s <- readFile(path) | ||
| } yield Some(Header.Raw(ci"Authorization", s)) |
There was a problem hiding this comment.
The token read from file is used directly without trimming whitespace. File-based tokens often contain trailing newlines or whitespace that should be stripped to avoid authentication failures.
| } yield Some(Header.Raw(ci"Authorization", s)) | |
| } yield Some(Header.Raw(ci"Authorization", s.trim)) |
| } yield Some(Header.Raw(ci"Authorization", s)) | ||
| case None => none[Header.Raw].pure[F] | ||
| } | ||
| .recover { case _ => none[Header.Raw] } |
There was a problem hiding this comment.
The catch-all exception handler case _ masks all potential errors from file reading operations. This could hide important issues like permission errors or I/O failures. Consider being more specific about which exceptions to handle or at least logging the error.
| .recover { case _ => none[Header.Raw] } | |
| .recoverWith { case t => Sync[F].delay { println(s"Error reading container authorization token file: $t"); None } } |
There was a problem hiding this comment.
We dont want this library to just print random stuff to stdout, exactly as if failing to read the token directly from env var, we just silently try to get credentials without auth header if this doesn't work.
vlovgr
changed the title
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
In EKS there is no token in env var
AWS_CONTAINER_AUTHORIZATION_TOKEN, instead, there's a file containing the token inAWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, this will fall back to getting token from the path referenced in the env var.