Merge pull request #876 from gargipanatula/hardcode-sts-endpoints

Migrate STS hostname verification to AWS SDK Go V2

Author: k8s-ci-robot

cmd/aws-iam-authenticator/root.go

@@ -20,17 +20,18 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"slices"
 	"strings"
 
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/mapper"
 
-	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/component-base/featuregate"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/endpoints"
 )
 
 var cfgFile string
@@ -157,13 +158,7 @@ func getConfig() (config.Config, error) {
 		return cfg, errors.New("cluster ID cannot be empty")
 	}
 
-	partitionKeys := []string{}
-	partitionMap := map[string]endpoints.Partition{}
-	for _, p := range endpoints.DefaultPartitions() {
-		partitionMap[p.ID()] = p
-		partitionKeys = append(partitionKeys, p.ID())
-	}
-	if _, ok := partitionMap[cfg.PartitionID]; !ok {
+	if !slices.Contains(endpoints.PARTITIONS, cfg.PartitionID) {
 		return cfg, errors.New("Invalid partition")
 	}
 

cmd/aws-iam-authenticator/server.go

@@ -29,11 +29,11 @@ import (
 	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/server"
 
-	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/endpoints"
 )
 
 const (
@@ -67,14 +67,9 @@ var serverCmd = &cobra.Command{
 }
 
 func init() {
-	partitionKeys := []string{}
-	for _, p := range endpoints.DefaultPartitions() {
-		partitionKeys = append(partitionKeys, p.ID())
-	}
-
 	serverCmd.Flags().String("partition",
 		endpoints.AwsPartitionID,
-		fmt.Sprintf("The AWS partition. Must be one of: %v", partitionKeys))
+		fmt.Sprintf("The AWS partition. Must be one of: %v", endpoints.PARTITIONS))
 	viper.BindPFlag("server.partition", serverCmd.Flags().Lookup("partition"))
 
 	serverCmd.Flags().String("generate-kubeconfig",

cmd/aws-iam-authenticator/verify.go

@@ -19,15 +19,16 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 
+	"sigs.k8s.io/aws-iam-authenticator/pkg/endpoints"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 
-	"github.com/aws/aws-sdk-go/aws/ec2metadata"
-	"github.com/aws/aws-sdk-go/aws/endpoints"
-	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -54,12 +55,7 @@ var verifyCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
-		sess := session.Must(session.NewSession())
-		ec2metadata := ec2metadata.New(sess)
-		instanceRegion, err := ec2metadata.Region()
-		if err != nil {
-			fmt.Printf("[Warn] Region not found in instance metadata, err: %v", err)
-		}
+		instanceRegion := getInstanceRegion(context.Background())
 
 		id, err := token.NewVerifier(clusterID, partition, instanceRegion).Verify(tok)
 		if err != nil {
@@ -86,14 +82,27 @@ func init() {
 	viper.BindPFlag("token", verifyCmd.Flags().Lookup("token"))
 	viper.BindPFlag("output", verifyCmd.Flags().Lookup("output"))
 
-	partitionKeys := []string{}
-	for _, p := range endpoints.DefaultPartitions() {
-		partitionKeys = append(partitionKeys, p.ID())
-	}
-
 	verifyCmd.Flags().String("partition",
 		endpoints.AwsPartitionID,
-		fmt.Sprintf("The AWS partition. Must be one of: %v", partitionKeys))
+		fmt.Sprintf("The AWS partition. Must be one of: %v", endpoints.PARTITIONS))
 	viper.BindPFlag("partition", verifyCmd.Flags().Lookup("partition"))
 
 }
+
+// Uses EC2 metadata to get the region. Returns "" if no region found.
+func getInstanceRegion(ctx context.Context) string {
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "[Warn] Unable to create config for metadata client, err: %v", err)
+		panic(err)
+	}
+
+	imdsClient := imds.NewFromConfig(cfg)
+	getRegionOutput, err := imdsClient.GetRegion(ctx, &imds.GetRegionInput{})
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "[Warn] Region not found in instance metadata, err: %v\n", err)
+		return ""
+	}
+
+	return getRegionOutput.Region
+}

go.mod

@@ -3,12 +3,11 @@ module sigs.k8s.io/aws-iam-authenticator
 go 1.24.4
 
 require (
-	github.com/aws/aws-sdk-go v1.55.7
 	github.com/aws/aws-sdk-go-v2 v1.36.6
 	github.com/aws/aws-sdk-go-v2/config v1.29.18
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.71
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.1
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.235.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.34.1
 	github.com/aws/smithy-go v1.22.4
 	github.com/fsnotify/fsnotify v1.9.0
@@ -55,7 +54,6 @@ require (
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect

go.sum

@@ -1,5 +1,3 @@
-github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
-github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/aws/aws-sdk-go-v2 v1.36.6 h1:zJqGjVbRdTPojeCGWn5IR5pbJwSQSBh5RWFTQcEQGdU=
 github.com/aws/aws-sdk-go-v2 v1.36.6/go.mod h1:EYrzvCCN9CMUTa5+6lf6MM4tq3Zjp8UhSGR/cBsjai0=
 github.com/aws/aws-sdk-go-v2/config v1.29.18 h1:x4T1GRPnqKV8HMJOMtNktbpQMl3bIsfx8KbqmveUO2I=
@@ -14,8 +12,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 h1:v+X21AvTb2wZ+ycg1g
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37/go.mod h1:G0uM1kyssELxmJ2VZEfG0q2npObR3BAkF3c1VsfVnfs=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.1 h1:1KYEVBXApGIQnXChtqKTZSN6jerkfiFhOApi8TcGs2w=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.1/go.mod h1:K7qdQFo+lbGM48aPEyoPfy/VN/xNOA4o8GGczfSXNcQ=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.235.0 h1:TE8LEu5sTuH2fR9Buv8BNXafOSm+CDrQA3DmYSaWX00=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.235.0/go.mod h1:K7qdQFo+lbGM48aPEyoPfy/VN/xNOA4o8GGczfSXNcQ=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 h1:vvbXsA2TVO80/KT7ZqCbx934dt6PY+vQ8hZpUZ/cpYg=
@@ -84,10 +82,6 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -230,7 +224,6 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/arn/arn.go

@@ -2,10 +2,11 @@ package arn
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 
 	awsarn "github.com/aws/aws-sdk-go-v2/aws/arn"
-	"github.com/aws/aws-sdk-go/aws/endpoints"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/endpoints"
 )
 
 type PrincipalType int
@@ -101,10 +102,8 @@ func StripPath(arn string) (string, error) {
 }
 
 func checkPartition(partition string) error {
-	for _, p := range endpoints.DefaultPartitions() {
-		if partition == p.ID() {
-			return nil
-		}
+	if !slices.Contains(endpoints.PARTITIONS, partition) {
+		return fmt.Errorf("partition %s is not recognized", partition)
 	}
-	return fmt.Errorf("partition %s is not recognized", partition)
+	return nil
 }

pkg/endpoints/partitions.go

@@ -0,0 +1,76 @@
+package endpoints
+
+import (
+	"fmt"
+)
+
+// Represents the partitions recognized by the github.com/aws/aws-sdk-go/aws/endpoints
+// package. Obtaining these partitions has been deprecated in the AWS SDK Go V2, so this serves as a
+// hardcoded alternative. Source: https://github.com/aws/aws-sdk-go/blob/main/aws/endpoints/defaults.go
+const (
+	AwsPartitionID      = "aws"        // AWS Standard partition.
+	AwsCnPartitionID    = "aws-cn"     // AWS China partition.
+	AwsUsGovPartitionID = "aws-us-gov" // AWS GovCloud (US) partition.
+	AwsIsoPartitionID   = "aws-iso"    // AWS ISO (US) partition.
+	AwsIsoBPartitionID  = "aws-iso-b"  // AWS ISOB (US) partition.
+	AwsIsoEPartitionID  = "aws-iso-e"  // AWS ISOE (Europe) partition.
+	AwsIsoFPartitionID  = "aws-iso-f"  // AWS ISOF partition.
+)
+
+var (
+	PARTITIONS = []string{
+		AwsPartitionID,
+		AwsCnPartitionID,
+		AwsUsGovPartitionID,
+		AwsIsoPartitionID,
+		AwsIsoBPartitionID,
+		AwsIsoEPartitionID,
+		AwsIsoFPartitionID,
+	}
+)
+
+// Returns the STS domain for the given partition. Returns an error
+// if the partition is not recognized.
+func GetSTSPartitionDomain(partition string) (string, error) {
+	var domain string
+
+	switch partition {
+	case AwsPartitionID:
+		domain = "amazonaws.com"
+	case AwsCnPartitionID:
+		domain = "amazonaws.com.cn"
+	case AwsUsGovPartitionID:
+		domain = "amazonaws.com"
+	case AwsIsoPartitionID:
+		domain = "c2s.ic.gov"
+	case AwsIsoBPartitionID:
+		domain = "sc2s.sgov.gov"
+	case AwsIsoEPartitionID:
+		domain = "cloud.adc-e.uk"
+	case AwsIsoFPartitionID:
+		domain = "csp.hci.ic.gov"
+	default:
+		return "", fmt.Errorf("Partition %s not valid", partition)
+	}
+
+	return domain, nil
+}
+
+// Gets the dual stack domain for the given partition. Returns an empty string
+// if the partition does not support dual stack
+func GetSTSDualStackPartitionDomain(partition string) string {
+	var domain string
+
+	switch partition {
+	case AwsPartitionID:
+		domain = "api.aws"
+	case AwsUsGovPartitionID:
+		domain = "api.aws"
+	case AwsCnPartitionID:
+		domain = "api.amazonwebservices.com.cn"
+	default:
+		return ""
+	}
+
+	return domain
+}