Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sts): do not inject region info for STS service with VPC endpoint hostname #113

Merged
merged 2 commits into from
May 17, 2024
Merged

fix(sts): do not inject region info for STS service with VPC endpoint hostname #113

merged 2 commits into from
May 17, 2024

Conversation

windmgc
Copy link
Member

@windmgc windmgc commented May 6, 2024
edited by jira bot
Loading

Summary

AWS services can be used inside a private VPC without Internet access by creating private links(VPC endpoints). When creating VPC endpoint for an AWS service, the Enable private DNS name is enabled by default, which means that a private DNS record will be created whose value is just the same as the AWS service's public endpoint(for example, s3.amazonaws.com) but pointing at the private VPC endpoint. This is what is expected to be a common practice when using VPC endpoint to access AWS service.

However, user can also disable it to not create this "fake" DNS record, and use the VPC endpoint hostname directly(something like vpce-abcdefghijklmn-abcdefg.sts.us-east-1.vpce.amazonaws.com). In this case, there is no need to inject region info into the endpoint domain since the hostname itself always contains the region for this VPC endpoint.

We've encountered a case in which the user is using a VPC endpoint hostname directly for STS service and region info gets injected unexpectedly, thus STS service cannot be used. This PR fixes it.

More information: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html#interface-endpoint-dns-hostnames

Issue

FTI-5934

KAG-4599

@windmgc windmgc changed the title fix(sts): do not inject region info for sts service with VPC endpoint hostname fix(sts): do not inject region info for STS service with VPC endpoint hostname May 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 6, 2024
edited
Loading

Luacheck Report

25 tests   - 8    0 ✅  - 1   0s ⏱️ ±0s
 1 suites ±0    0 💤 ±0 
 1 files   ±0   25 ❌  - 7 

For more details on these failures, see this check.

Results for commit f41554c. ± Comparison against base commit 77c62da.

This pull request removes 33 and adds 25 tests. Note that renamed tests count towards both. 
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:1
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:10
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:11
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:12
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:13
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:14
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:15
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:16
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:17
spec/02-requests/03-execute_spec.lua ‑ spec/02-requests/03-execute_spec.lua:18
…

spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:1
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:10
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:11
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:12
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:13
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:14
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:15
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:16
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:17
spec/01-generic/02-aws_spec.lua ‑ spec/01-generic/02-aws_spec.lua:18
…

♻️ This comment has been updated with latest results.

@windmgc
Copy link
Member Author

windmgc commented May 6, 2024

The aws-sdk-js may also share the same issue: https://github.com/aws/aws-sdk-js/blob/307e82673b48577fce4389e4ce03f95064e8fe0d/lib/services/sts.js#L78-L82

tzssangglass
tzssangglass previously approved these changes May 14, 2024
View reviewed changes
@windmgc windmgc force-pushed the fix-sts-region-inject-vpc-endpoint branch from 7660fc0 to f41554c Compare May 15, 2024 07:30
@windmgc windmgc merged commit a708af6 into main May 17, 2024
9 checks passed
@windmgc windmgc deleted the fix-sts-region-inject-vpc-endpoint branch May 17, 2024 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tzssangglass tzssangglass tzssangglass approved these changes

@ms2008 ms2008 ms2008 approved these changes

@fffonion fffonion fffonion approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@windmgc @fffonion @ms2008 @tzssangglass