Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add function H5FD__s3comms_load_aws_creds_from_env() #5167

Draft
wants to merge 10 commits into
base: develop
Choose a base branch
from

Conversation

lrknox
Copy link
Collaborator

@lrknox lrknox commented Dec 4, 2024

to get AWS credentials from environment variables. These will override any corresponding variables loaded from files.

Tested so far with s3comms and ros3 tests, where credentials from environment variables override invalid credentials loaded from the .aws/credentials file, don't fail with identical credentials loaded from the .aws/credentials file, and provide necessary credentials when none are loaded from the credentials/config files.

AWS_SESSION_TOKEN will be added next.

lrknox and others added 4 commits December 4, 2024 10:06
credentials from environment variables.  These will override any
corresponding variables loaded from files.
@lrknox lrknox changed the title Add function H5FD__s3comms_load_aws_creds_from_file() Add function H5FD__s3comms_load_aws_creds_from_env() Dec 4, 2024
@derobins derobins added Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - New Feature Add a new API call, functionality, or tool labels Dec 5, 2024
@lrknox
Copy link
Collaborator Author

lrknox commented Dec 18, 2024

s3comms and ros3 tests pass now with valid temporary AWS credentials (region, key_id, secret and session_token) from credentials/config files or from AWS* environment variables. Values from AWS* environment variables will override values from credentials/config files.

@@ -967,6 +967,16 @@ H5FD__ros3_cmp(const H5FD_t *_f1, const H5FD_t *_f2)
else if (f2->fa.secret_key[0] != '\0')
HGOTO_DONE(-1);

/* FAPL: SESSION_TOKEN */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should add 'session token' to the comment for this function describing everything used for the comparison

@@ -1775,21 +1777,21 @@ H5FD__s3comms_load_aws_creds_from_file(FILE *file, const char *profile_name, cha
/* look for start of profile */
do {
/* clear buffer */
memset(buffer, 0, 128);
memset(buffer, 0, 4096);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to replace repeated uses of 4096 with a single buffer_size variable

if (key_id_env != NULL && key_id_env[0] != '\0') {
if (strlen(key_id) == 0 || strncmp(key_id, key_id_env, strlen(key_id)) != 0)
strncpy(key_id, key_id_env, strlen(key_id_env));
key_id[strlen(key_id_env)] = '\0';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to add a null-terminator to the existing key_id when it's not overwritten by the environment variable?

session_token_env = getenv("AWS_SESSION_TOKEN");
if (session_token_env != NULL && session_token_env[0] != '\0') {
if (strlen(session_token) == 0 ||
strncmp(session_token, session_token_env, strlen(session_token_env)) != 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this check for whether to replace the provided session token could produce incorrect behavior if the environment variable is a prefix of the session token from config/credentials files. (e.g. env var = key1, and session token = key11). Both conditions here would be false, and the value would not be overwritten from the environment.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would also apply to the key and region. I think it's necessary to either take the longer length or just use strcmp() if the buffers are known to be null-terminated.

/* Check for credentials in environment variables. Environment variables will override
* credentials from credentials/config files and just load them if there were none in
* the files. */
ret_value = H5FD__s3comms_load_aws_creds_from_env(key_id_out, secret_access_key_out, session_token_out,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's fine not use HGOTO_ERROR here right now since it's at the end of the routine anyway, but it would be good to explicitly check ret_value in case that changes later.

@lrknox lrknox marked this pull request as draft January 24, 2025 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - New Feature Add a new API call, functionality, or tool
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants