Skip to content

fix(#8173): Do not return static aws credentials if they can expire #9011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DZDomi wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(#8173): Do not return static aws credentials if they can expire #9011

DZDomi wants to merge 2 commits into from

Conversation

@DZDomi
Copy link

@DZDomi DZDomi commented Jun 9, 2025
edited
Loading

Please add a summary of your change

In a previous commit (30728c2) for the function that provides AWS credentials, a crucial if was removed that was responsible for making sure callers of the function GetS3Credentials would not receive expired credentials.

Specifically the removal of the following code caused the problem:

if os.Getenv(awsRoleEnvVar) != "" {
	return nil, nil
}

By not returning nil, nil in any of the code in the specific function and forcing to return some credentials, even if they can expire (for example for IAM roles that are assumed via STS) all functions that would call this function would end up with invalid tokens after some period. This affects specifically long running backup/data mover jobs to cloud storage like S3. This PR addresses this issue, buy checking if the credentials received are able to expire and if yes, will return nil,nil and let the calling functions get their credentials via the default AWS credential provider chain.

Does your change fix a particular issue?

Fixes #8173
Fixes #8454

Please indicate you've done the following:

@github-actions github-actions bot requested a review from reasonerjt June 9, 2025 18:04
@github-actions github-actions bot requested a review from sseago June 9, 2025 18:04
@DZDomi DZDomi mentioned this pull request Jun 9, 2025
Closed
3 tasks
@DZDomi DZDomi force-pushed the fix/aws-credential-chain branch from c5b6dd5 to 46d7a4b Compare June 9, 2025 18:08
@blackpiglet blackpiglet force-pushed the fix/aws-credential-chain branch from 542ccc0 to f7a68a7 Compare June 16, 2025 03:07
reasonerjt
reasonerjt reviewed Jul 11, 2025
View reviewed changes
pkg/repository/config/aws.go
// For expiring credentials, we want to fall back to use
// the default aws provider chain, which is responsible
// for refreshing the token automatically
if creds.CanExpire {
Copy link
Contributor

@reasonerjt reasonerjt Jul 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By checking the caller of this func:

velero/pkg/repository/provider/unified_repo.go

Line 487 in 479c21c

credValue, err := getS3Credentials(config)

I don't quite understand in unified_repo.go how it is possible to enable refreshing the token automatically by returning nil.

Could you please elaborate?

Copy link
Collaborator

@kaovilai kaovilai Jul 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR addresses this issue, buy checking if the credentials received are able to expire and if yes, will return nil,nil and let the calling functions get their credentials via the default AWS credential provider chain.

emphasis mine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reasonerjt reasonerjt reasonerjt left review comments

@kaovilai kaovilai kaovilai left review comments

@sseago sseago Awaiting requested review from sseago

At least 2 approving reviews are required to merge this pull request.

Assignees

@DZDomi DZDomi

Labels

has-changelog

Projects

None yet

Milestone

No milestone

3 participants

@DZDomi @reasonerjt @kaovilai