fix: account_id resolution in ecs (#3058)

Co-authored-by: Sean O'Brien <60306702+stobrien89@users.noreply.github.com>
aws · Jan 14, 2025 · 78032d5 · 78032d5
1 parent dc9ac0a
commit 78032d5
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/src/Credentials/EcsCredentialProvider.php b/src/Credentials/EcsCredentialProvider.php
@@ -1,6 +1,7 @@
 <?php
 namespace Aws\Credentials;
 
+use Aws\Arn\Arn;
 use Aws\Exception\CredentialsException;
 use GuzzleHttp\Exception\ConnectException;
 use GuzzleHttp\Exception\GuzzleException;
@@ -86,6 +87,15 @@ public function __invoke()
                         ]
                     )->then(function (ResponseInterface $response) {
                         $result = $this->decodeResult((string)$response->getBody());
+                        if (!isset($result['AccountId']) && isset($result['RoleArn'])) {
+                            try {
+                                $parsedArn = new Arn($result['RoleArn']);
+                                $result['AccountId'] = $parsedArn->getAccountId();
+                            } catch (\Exception $e) {
+                                // AccountId will be null
+                            }
+                        }
+
                         return new Credentials(
                             $result['AccessKeyId'],
                             $result['SecretAccessKey'],

diff --git a/tests/Credentials/EcsCredentialProviderTest.php b/tests/Credentials/EcsCredentialProviderTest.php
@@ -353,6 +353,39 @@ public function testResolveCredentialsWithAccountId()
 
     }
 
+    public function testResolveCredentialsWithAccountIdFromArn()
+    {
+        $testAccountId = 'foo';
+        $testArn = "arn:aws:iam::$testAccountId:role/role_name";
+        $expiration = time() + 1000;
+        $testHandler = function (RequestInterface $_) use ($expiration, $testArn) {
+            $jsonResponse = <<<EOF
+{
+    "AccessKeyId": "foo",
+    "SecretAccessKey": "foo",
+    "Token": "bazz",
+    "Expiration": "@$expiration",
+    "RoleArn": "$testArn"
+}
+EOF;
+            return Promise\Create::promiseFor(new Response(200, [], $jsonResponse));
+        };
+        $provider = new EcsCredentialProvider([
+            'client' => $testHandler
+        ]);
+        try {
+            /** @var Credentials $credentials */
+            $credentials = $provider()->wait();
+            $this->assertSame('foo', $credentials->getAccessKeyId());
+            $this->assertSame('foo', $credentials->getSecretKey());
+            $this->assertSame('bazz', $credentials->getSecurityToken());
+            $this->assertSame($expiration, $credentials->getExpiration());
+            $this->assertSame($testAccountId, $credentials->getAccountId());
+        } catch (GuzzleException $e) {
+            self::fail($e->getMessage());
+        }
+    }
+
     /**
      * @dataProvider successTestCases
      *