feat: container credential provider support auth token

README.md

@@ -185,6 +185,9 @@ Release process:
 - security: remove the documentation entry that contains a sample access key from AWS SDK. This
   avoids false postive vulnerability report.
   [102](https://github.com/Kong/lua-resty-aws/pull/102)
+- feat: container credential provider now supports using auth token defined in
+  AWS_CONTAINER_AUTHORIZATION_TOKEN and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE.
+  [107](https://github.com/Kong/lua-resty-aws/pull/107)
 
 ### 1.3.6 (25-Dec-2023)
 

spec/03-credentials/04-RemoteCredentials_spec.lua

@@ -1,9 +1,10 @@
 local json = require("cjson.safe").new()
 local restore = require "spec.helpers"
 
 
 -- Mock for HTTP client
 local response = {} -- override in tests
+local http_records = {} -- record requests for assertions
 local http = {
   new = function()
     return {
@@ -12,8 +13,10 @@
       set_timeouts = function() return true end,
       request = function(self, opts)
         if opts.path == "/test/path" then
+          table.insert(http_records, opts)
           return { -- the response for the credentials
               status = (response or {}).status or 200,
+              headers = opts and opts.headers or {},
               read_body = function() return json.encode {
                   AccessKeyId = (response or {}).AccessKeyId or "access",
                   SecretAccessKey = (response or {}).SecretAccessKey or "secret",
@@ -30,6 +33,12 @@
   end,
 }
 
+local pl_utils = {
+  readfile = function()
+    return "testtokenabc123"
+  end
+}
+
 
 describe("RemoteCredentials", function()
 
@@ -85,3 +94,63 @@
     assert.equal("token", token)
   end)
 end)
+
+describe("RemoteCredentials with full URI and token file", function ()
+  it("fetches credentials", function ()
+    local RemoteCredentials
+
+    restore()
+    restore.setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:12345/test/path")
+    restore.setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE", "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token")
+
+    local _ = require("resty.aws.config").global -- load config before mocking http client
+    package.loaded["resty.luasocket.http"] = http
+    package.loaded["pl.utils"] = pl_utils
+
+    RemoteCredentials = require "resty.aws.credentials.RemoteCredentials"
+    finally(function()
+      restore()
+    end)
+
+    local cred = RemoteCredentials:new()
+    local success, key, secret, token = cred:get()
+    assert.equal(true, success)
+    assert.equal("access", key)
+    assert.equal("secret", secret)
+    assert.equal("token", token)
+
+    assert.not_nil(http_records[#http_records].headers)
+    assert.equal(http_records[#http_records].headers["Authorization"], "testtokenabc123")
+  end)
+end)
+
+describe("RemoteCredentials with full URI and token and token file, file takes higher precedence", function ()
+  it("fetches credentials", function ()
+    local RemoteCredentials
+
+    restore()
+    restore.setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:12345/test/path")
+    restore.setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "testtoken")
+    restore.setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE", "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token")
+
+    local _ = require("resty.aws.config").global -- load config before mocking http client
+    package.loaded["resty.luasocket.http"] = http
+    package.loaded["pl.utils"] = pl_utils
+
+    RemoteCredentials = require "resty.aws.credentials.RemoteCredentials"
+    finally(function()
+      restore()
+    end)
+
+    local cred = RemoteCredentials:new()
+    local success, key, secret, token = cred:get()
+    assert.equal(true, success)
+    assert.equal("access", key)
+    assert.equal("secret", secret)
+    assert.equal("token", token)
+
+    assert.not_nil(http_records[#http_records].headers)
+    assert.equal(http_records[#http_records].headers["Authorization"], "testtokenabc123")
+  end)
+end)
+

src/resty/aws/config.lua

@@ -1,3 +1,3 @@
 --- Load AWS configuration.
 --
 -- This is based of [Configuration and credential file settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
@@ -57,6 +57,8 @@
 -- * `AMAZON_SESSION_TOKEN`
 -- * `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`
 -- * `AWS_CONTAINER_CREDENTIALS_FULL_URI`
+-- * `AWS_CONTAINER_AUTHORIZATION_TOKEN`
+-- * `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE`
 
 
 local pl_path = require "pl.path"
@@ -140,6 +142,13 @@
   -- Variables used in RemoteCredentials (and in the CredentialProviderChain)
   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI = { name = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", default = nil },
   AWS_CONTAINER_CREDENTIALS_FULL_URI = { name = "AWS_CONTAINER_CREDENTIALS_FULL_URI", default = nil },
+  -- Token related Variables used in RemoteCredentials
+  -- Note that AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE has higher priority than AWS_CONTAINER_AUTHORIZATION_TOKEN
+  -- if both are set, the value in AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE will be used
+  --
+  -- This is also used by EKS Pod Identity authorization
+  AWS_CONTAINER_AUTHORIZATION_TOKEN = { name = "AWS_CONTAINER_AUTHORIZATION_TOKEN", default = nil },
+  AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE = { name = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE", default = nil },
 
   -- HTTP/HTTPs proxy settings
   HTTP_PROXY = { name = "http_proxy", default = nil },

src/resty/aws/credentials/RemoteCredentials.lua

@@ -1,3 +1,3 @@
 --- RemoteCredentials class.
 -- @classmod RemoteCredentials
 
@@ -13,9 +13,12 @@
 local url = require "socket.url"
 local http = require "resty.luasocket.http"
 local json = require "cjson"
+local readfile = require("pl.utils").readfile
 
 
 local FullUri
+local AuthToken
+local AuthTokenFile
 
 
 local function initialize()
@@ -31,7 +34,7 @@
 
   local FULL_URI_UNRESTRICTED_PROTOCOLS = makeset { "https" }
   local FULL_URI_ALLOWED_PROTOCOLS = makeset { "http", "https" }
-  local FULL_URI_ALLOWED_HOSTNAMES = makeset { "localhost", "127.0.0.1" }
+  local FULL_URI_ALLOWED_HOSTNAMES = makeset { "localhost", "127.0.0.1", "169.254.170.23" }
   local RELATIVE_URI_HOST = '169.254.170.2'
 
   local function getFullUri()
@@ -76,6 +79,10 @@
                     ({ http = 80, https = 443 })[FullUri.scheme]
   end
 
+  -- get auth token/file
+  AuthToken = aws_config.global.AWS_CONTAINER_AUTHORIZATION_TOKEN
+  AuthTokenFile = aws_config.global.AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
+
   initialize = nil
 end
 
@@ -107,6 +114,22 @@
     return nil, "No URI environment variables found for RemoteCredentials"
   end
 
+
+  local headers = {}
+
+  if AuthToken then
+    headers["Authorization"] = AuthToken
+  end
+
+  if AuthTokenFile then
+    local token, err = readfile(AuthTokenFile)
+    if not token then
+      return nil, "Failed reading AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE: " .. err
+    end
+
+    headers["Authorization"] = token
+  end
+
   local client = http.new()
   client:set_timeout(DEFAULT_SERVICE_REQUEST_TIMEOUT)
 
@@ -122,6 +145,7 @@
   local response, err = client:request {
     method = "GET",
     path   = FullUri.path,
+    headers = headers,
   }
 
   if not response then