diff --git a/foundation/auth/src/token_source/external_account_source/aws_subject_token_source.rs b/foundation/auth/src/token_source/external_account_source/aws_subject_token_source.rs index b7f1fc57..6f40b317 100644 --- a/foundation/auth/src/token_source/external_account_source/aws_subject_token_source.rs +++ b/foundation/auth/src/token_source/external_account_source/aws_subject_token_source.rs @@ -25,6 +25,7 @@ const AWS_REGION: &str = "AWS_REGION"; const AWS_SECRET_ACCESS_KEY: &str = "AWS_SECRET_ACCESS_KEY"; const AWS_SESSION_TOKEN: &str = "AWS_SESSION_TOKEN"; const AWS_IMDS_V2_SESSION_TOKEN_HEADER: &str = "X-aws-ec2-metadata-token"; +const AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: &str = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"; pub struct AWSSubjectTokenSource { subject_token_url: Url, @@ -54,7 +55,12 @@ impl AWSSubjectTokenSource { None }; - let credentials = get_security_credentials(&aws_session_token, &value.url).await?; + let credentials = + if let Some(credentials_relative_uri) = std::env::var(AWS_CONTAINER_CREDENTIALS_RELATIVE_URI).ok() { + get_security_credentials_on_ecs(&credentials_relative_uri).await? + } else { + get_security_credentials(&aws_session_token, &value.url).await? + }; let region = get_region(&aws_session_token, &value.region_url).await?; let url = value @@ -284,6 +290,17 @@ async fn get_security_credentials( Ok(cred) } +async fn get_security_credentials_on_ecs(credentials_relative_uri: &str) -> Result { + let client = default_http_client(); + let builder = client.get(format!("http://169.254.170.2{credentials_relative_uri}")); + let response = builder.send().await?; + if !response.status().is_success() { + return Err(Error::UnexpectedStatusOnGetCredentials(response.status().as_u16())); + } + + response.json().await.map_err(Error::from) +} + async fn get_region(temporary_session_token: &Option, url: &Option) -> Result { if can_retrieve_region_from_environment() { if let Ok(region) = var(AWS_REGION) {