Update task IAM role model

aws · Nov 21, 2023 · 06e8b60 · 06e8b60
1 parent 5f35c93
commit 06e8b60
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 16 deletions.
diff --git a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/credentials/manager.go b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/credentials/manager.go
diff --git a/.../vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/v1/credentials_handler.go b/.../vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/v1/credentials_handler.go
diff --git a/ecs-agent/acs/session/session_test.go b/ecs-agent/acs/session/session_test.go
@@ -95,7 +95,8 @@ const (
           "expiration": "2016-03-25T06:17:19.318+0000",
           "roleArn": "r1",
           "secretAccessKey": "secretAccessKey",
-          "sessionToken": "token"
+          "sessionToken": "token",
+		  "credentialScope": "scope"
         },
         "version": "3",
         "volumes": [],
@@ -125,7 +126,8 @@ const (
       "expiration": "later",
       "roleArn": "r1",
       "secretAccessKey": "newskid",
-      "sessionToken": "newstkn"
+      "sessionToken": "newstkn",
+	  "credentialScope": "cdsp"
     }
   }
 }
@@ -976,6 +978,7 @@ func TestStartSessionHandlesRefreshCredentialsMessages(t *testing.T) {
 						SessionToken:    "newstkn",
 						Expiration:      "later",
 						CredentialsID:   credentialsIdInRefreshMessage,
+						CredentialScope: "cdsp",
 						RoleType:        rolecredentials.ApplicationRoleType,
 					},
 				}

diff --git a/ecs-agent/credentials/manager.go b/ecs-agent/credentials/manager.go
@@ -58,7 +58,8 @@ type IAMRoleCredentials struct {
 	// Expiration is a string instead of a timestamp. This is to avoid any loss of context
 	// while marshalling/unmarshalling this field in the agent. The agent just echo's
 	// whatever is sent by the backend.
-	Expiration string `json:"Expiration"`
+	Expiration      string `json:"Expiration"`
+	CredentialScope string `json:"CredentialScope"`
 	// RoleType distinguishes between TaskRole and ExecutionRole for the
 	// credentials that are sent from the backend
 	RoleType string `json:"-"`
@@ -100,6 +101,7 @@ func IAMRoleCredentialsFromACS(roleCredentials *ecsacs.IAMRoleCredentials, roleT
 		AccessKeyID:     aws.StringValue(roleCredentials.AccessKeyId),
 		SecretAccessKey: aws.StringValue(roleCredentials.SecretAccessKey),
 		Expiration:      aws.StringValue(roleCredentials.Expiration),
+		CredentialScope: aws.StringValue(roleCredentials.CredentialScope),
 		RoleType:        roleType,
 	}
 }

diff --git a/ecs-agent/credentials/manager_test.go b/ecs-agent/credentials/manager_test.go
@@ -35,6 +35,7 @@ func TestIAMRoleCredentialsFromACS(t *testing.T) {
 		RoleArn:         aws.String("roleArn"),
 		SecretAccessKey: aws.String("OhhSecret"),
 		SessionToken:    aws.String("sessionToken"),
+		CredentialScope: aws.String("credentialScope"),
 	}
 
 	roleType := "roleType"
@@ -47,6 +48,7 @@ func TestIAMRoleCredentialsFromACS(t *testing.T) {
 		RoleArn:         "roleArn",
 		SecretAccessKey: "OhhSecret",
 		SessionToken:    "sessionToken",
+		CredentialScope: "credentialScope",
 		RoleType:        "roleType",
 	}
 	assert.Equal(t, credentials, expectedCredentials, "Mismatch between expected and constructed credentials")
@@ -99,6 +101,7 @@ func TestSetAndGetTaskCredentialsHappyPath(t *testing.T) {
 			SessionToken:    "stkn",
 			Expiration:      "ts",
 			CredentialsID:   "cid1",
+			CredentialScope: "cdsp",
 		},
 	}
 
@@ -118,6 +121,7 @@ func TestSetAndGetTaskCredentialsHappyPath(t *testing.T) {
 			SessionToken:    "stkn2",
 			Expiration:      "ts2",
 			CredentialsID:   "cid1",
+			CredentialScope: "cdsp",
 		},
 	}
 	err = manager.SetTaskCredentials(&updatedCredentials)
@@ -138,6 +142,7 @@ func TestGenerateCredentialsEndpointRelativeURI(t *testing.T) {
 		SessionToken:    "stkn",
 		Expiration:      "ts",
 		CredentialsID:   "cid1",
+		CredentialScope: "cdsp",
 	}
 	generatedURI := credentials.GenerateCredentialsEndpointRelativeURI()
 	expectedURI := fmt.Sprintf(credentialsEndpointRelativeURIFormat, CredentialsPath, "cid1")
@@ -157,6 +162,7 @@ func TestRemoveExistingCredentials(t *testing.T) {
 			SessionToken:    "stkn",
 			Expiration:      "ts",
 			CredentialsID:   "cid1",
+			CredentialScope: "cdsp",
 		},
 	}
 	err := manager.SetTaskCredentials(&credentials)

diff --git a/ecs-agent/tmds/handlers/credentials_handler_test.go b/ecs-agent/tmds/handlers/credentials_handler_test.go
@@ -268,6 +268,7 @@ func testCredentialsHandlerSuccess(t *testing.T, makePath MakePath, makeHandler
 		SecretAccessKey: "secret_access_key",
 		SessionToken:    "session_token",
 		Expiration:      "expiration",
+		CredentialScope: "credential_scope",
 		RoleType:        credentials.ApplicationRoleType,
 	}
 
@@ -278,6 +279,7 @@ func testCredentialsHandlerSuccess(t *testing.T, makePath MakePath, makeHandler
 		SecretAccessKey: "secret_access_key",
 		SessionToken:    "session_token",
 		Expiration:      "expiration",
+		CredentialScope: "credential_scope",
 	}
 
 	auditLogger.EXPECT().Log(

diff --git a/ecs-agent/tmds/handlers/v1/credentials_handler.go b/ecs-agent/tmds/handlers/v1/credentials_handler.go
@@ -125,14 +125,14 @@ func processCredentialsRequest(
 		return nil, "", "", msg, errors.New(errText)
 	}
 
-	seelog.Infof("Processing credential request, credentialType=%s taskARN=%s",
-		credentials.IAMRoleCredentials.RoleType, credentials.ARN)
+	seelog.Infof("Processing credential request, credentialType=%s taskARN=%s credentialScope=%s",
+		credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope)
 
 	if utils.ZeroOrNil(credentials.ARN) && utils.ZeroOrNil(credentials.IAMRoleCredentials) {
 		// This can happen when the agent is restarted and is reconciling its state.
 		errText := errPrefix + "Credentials uninitialized for ID"
-		seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s: %s",
-			credentials.IAMRoleCredentials.RoleType, credentials.ARN, errText)
+		seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s credentialScope=%s: %s",
+			credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope, errText)
 		msg := &handlersutils.ErrorMessage{
 			Code:          ErrCredentialsUninitialized,
 			Message:       errText,
@@ -144,8 +144,8 @@ func processCredentialsRequest(
 	credentialsJSON, err := json.Marshal(credentials.IAMRoleCredentials)
 	if err != nil {
 		errText := errPrefix + "Error marshaling credentials"
-		seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s: %s",
-			credentials.IAMRoleCredentials.RoleType, credentials.ARN, errText)
+		seelog.Errorf("Error processing credential request credentialType=%s taskARN=%s credentialScope=%s: %s",
+			credentials.IAMRoleCredentials.RoleType, credentials.ARN, credentials.IAMRoleCredentials.CredentialScope, errText)
 		msg := &handlersutils.ErrorMessage{
 			Code:          ErrInternalServer,
 			Message:       "Internal server error",