Skip to content

Interceptor for STS AssumeRole and GetSessionToken #17440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 82 commits into from
Sep 24, 2025
Merged

Interceptor for STS AssumeRole and GetSessionToken #17440

merged 82 commits into from
Sep 24, 2025

Conversation

dkocher
Copy link
Contributor

@dkocher dkocher commented Sep 8, 2025
edited
Loading

@dkocher dkocher added this to the 9.3 milestone Sep 8, 2025
@dkocher dkocher requested a review from a team as a code owner September 8, 2025 16:57
@dkocher dkocher added the s3 AWS S3 Protocol Implementation label Sep 8, 2025
@dkocher dkocher mentioned this pull request Sep 8, 2025
Open
1 task
@dkocher dkocher requested review from Copilot and ylangisc September 8, 2025 16:57
Copilot
Copilot AI reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for an STS AssumeRole interceptor to handle AWS role assumption with static credentials, addressing issue #17437. It introduces a new interceptor for standard STS AssumeRole operations while refactoring the existing web identity-based interceptor.

  • Creates a new STSAssumeRoleRequestInterceptor for standard role assumption with static AWS credentials
  • Renames existing class to STSAssumeRoleWithWebIdentityRequestInterceptor for clarity
  • Adds MFA support and improves configuration handling in the STS authorization service

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
STSAssumeRoleWithWebIdentityRequestInterceptor.java Renamed class and constructor from STSAssumeRoleCredentialsRequestInterceptor for clarity
STSAssumeRoleRequestInterceptor.java New interceptor for standard STS AssumeRole operations using static credentials
STSAssumeRoleAuthorizationService.java Enhanced with new authorize method for static credentials and improved configuration handling
S3Session.java Updated credential strategy configuration to use renamed interceptor and support new role assumption flow
default.properties Added documentation comments for STS configuration properties
HostPreferences.java Added overloaded getProperty method supporting multiple fallback keys
Profile.java Added constants for STS-related property keys

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

dkocher and others added 3 commits September 8, 2025 18:59
@dkocher @Copilot
The get() method calls refresh(tokens) but should call refresh(creden…
e3ad15a 
…tials) to use the stored static credentials instead of the current (potentially expired) tokens.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@dkocher @Copilot
Iterate all keys
419bb77 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@dkocher
Fix setting ARN for MFA and token code in request.
c3cf1ee
@dkocher dkocher requested a review from Copilot September 8, 2025 17:04
Copilot
Copilot AI reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

ylangisc
ylangisc previously approved these changes Sep 21, 2025
View reviewed changes
ylangisc
ylangisc reviewed Sep 21, 2025
View reviewed changes
Copy link
Contributor

@ylangisc ylangisc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test failures.

@ylangisc ylangisc dismissed their stale review September 21, 2025 06:07

Test failures.

@dkocher dkocher requested a review from ylangisc September 23, 2025 09:47
@dkocher dkocher self-assigned this Sep 24, 2025
@dkocher dkocher merged commit f2207c4 into master Sep 24, 2025
4 of 5 checks passed
@dkocher dkocher deleted the feature/GH-17437 branch September 24, 2025 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@ylangisc ylangisc ylangisc approved these changes

Assignees

@dkocher dkocher

Labels
s3 AWS S3 Protocol Implementation
Projects
None yet
Milestone
9.3
Development

Successfully merging this pull request may close these issues.

Connect with temporary credentials obtained from STS GetSessionToken Connect with temporary credentials obtained from STS AssumeRole
2 participants
@dkocher @ylangisc