fix: add token env

Kong · Feb 26, 2024 · a797908 · a797908
1 parent ead0dae
commit a797908
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 7 deletions.
diff --git a/spec/03-credentials/04-RemoteCredentials_spec.lua b/spec/03-credentials/04-RemoteCredentials_spec.lua
@@ -123,3 +123,34 @@ describe("RemoteCredentials with full URI and token file", function ()
     assert.equal(http_records[#http_records].headers["Authorization"], "testtokenabc123")
   end)
 end)
+
+describe("RemoteCredentials with full URI and token and token file, file takes higher precedence", function ()
+  it("fetches credentials", function ()
+    local RemoteCredentials
+
+    restore()
+    restore.setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:12345/test/path")
+    restore.setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "testtoken")
+    restore.setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE", "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token")
+
+    local _ = require("resty.aws.config").global -- load config before mocking http client
+    package.loaded["resty.luasocket.http"] = http
+    package.loaded["pl.utils"] = pl_utils
+
+    RemoteCredentials = require "resty.aws.credentials.RemoteCredentials"
+    finally(function()
+      restore()
+    end)
+
+    local cred = RemoteCredentials:new()
+    local success, key, secret, token = cred:get()
+    assert.equal(true, success)
+    assert.equal("access", key)
+    assert.equal("secret", secret)
+    assert.equal("token", token)
+
+    assert.not_nil(http_records[#http_records].headers)
+    assert.equal(http_records[#http_records].headers["Authorization"], "testtokenabc123")
+  end)
+end)
+
diff --git a/src/resty/aws/config.lua b/src/resty/aws/config.lua
@@ -147,14 +147,8 @@ local env_vars = {
   -- if both are set, the value in AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE will be used
   --
   -- This is also used by EKS Pod Identity authorization
+  AWS_CONTAINER_AUTHORIZATION_TOKEN = { name = "AWS_CONTAINER_AUTHORIZATION_TOKEN", default = nil },
   AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE = { name = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE", default = nil },
-  -- TODO: ---
-  -- A possible issue is that due to Nginx worker process's envvars isolation
-  -- the AWS_CONTAINER_AUTHORIZATION_TOKEN may not get refreshed.
-  -- According to the AWS documentation, the AWS_CONTAINER_AUTHORIZATION_TOKEN is only
-  -- used in IoT product Greengrass, which is not a common use case.
-  -- AWS_CONTAINER_AUTHORIZATION_TOKEN = { name = "AWS_CONTAINER_AUTHORIZATION_TOKEN", default = nil },
-  -- ---------
 
   -- HTTP/HTTPs proxy settings
   HTTP_PROXY = { name = "http_proxy", default = nil },

diff --git a/src/resty/aws/credentials/RemoteCredentials.lua b/src/resty/aws/credentials/RemoteCredentials.lua
@@ -17,6 +17,7 @@ local readfile = require("pl.utils").readfile
 
 
 local FullUri
+local AuthToken
 local AuthTokenFile
 
 
@@ -78,6 +79,11 @@ local function initialize()
                     ({ http = 80, https = 443 })[FullUri.scheme]
   end
 
+  -- get auth token
+  if aws_config.global.AWS_CONTAINER_AUTHORIZATION_TOKEN then
+    AuthToken = aws_config.global.AWS_CONTAINER_AUTHORIZATION_TOKEN
+  end
+
   -- get auth token file path
   if aws_config.global.AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE then
     AuthTokenFile = aws_config.global.AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
@@ -116,6 +122,11 @@ function RemoteCredentials:refresh()
 
 
   local headers = {}
+
+  if AuthToken then
+    headers["Authorization"] = AuthToken
+  end
+
   if AuthTokenFile then
     local token, err = readfile(AuthTokenFile)
     if not token then