Add AWS IAM Roles Anywhere authentication to s3, sqs and sqs-files adapters#302
Open
maximelb wants to merge 2 commits into
Open
Add AWS IAM Roles Anywhere authentication to s3, sqs and sqs-files adapters#302maximelb wants to merge 2 commits into
maximelb wants to merge 2 commits into
Conversation
…apters Allows authenticating to AWS with short-lived credentials derived from an X.509 certificate instead of long-lived access keys. The adapter calls the Roles Anywhere CreateSession API (SigV4-X509, implemented here since no AWS SDK supports it natively and the official credential helper pulls in cgo, breaking cross-compilation) and refreshes the temporary session credentials automatically before expiry. Configured via a new roles_anywhere config block (certificate, private_key, trust_anchor_arn, profile_arn, role_arn) that is mutually exclusive with access_key/secret_key. Existing configs are unaffected. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SiRyZ4DwMZtcpeYWh8oFFx
lcbill
previously approved these changes
Jul 6, 2026
- Propagate request contexts into the credential fetch (credentials.ProviderWithContext) and retry transient CreateSession failures (network errors, 429, 5xx) so a blip during a mid-run credential refresh no longer kills SQS-based adapters. - Resolve the Roles Anywhere endpoint through the SDK endpoint data instead of hand-building the domain, fixing GovCloud/CN/ISO partition suffixes. - Identify the leaf certificate by matching the private key so PEM bundles work in any order (CA-first or leaf-first), with a clear local error when the key matches no certificate. - Floor the credential expiration so a badly skewed local clock degrades to a periodic refresh instead of one CreateSession call per SDK request. - Enforce the auth config rules in NewAWSCredentials as well, since the general container builds adapters without calling Validate(). - sqs-files: use the configured credentials for the bucket-region lookup (previously fell back to the default ambient chain), build the S3 client from the S3 session, and actually mark the S3 SDK as initialized instead of rebuilding it for every file. - Redact secret_key/private_key values in the config printed by the general container at startup. - Precompute the immutable signed-request components at provider construction. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SiRyZ4DwMZtcpeYWh8oFFx
lcbill
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for authenticating to AWS using IAM Roles Anywhere as an alternative to long-lived access keys, for the three adapters that talk to AWS:
s3,sqsandsqs-files(which covers CloudTrail-style S3 bucket ingestion).Instead of pasting a permanent
access_key/secret_key, users can now provide an X.509 certificate + private key issued under a CA they registered as a Roles Anywhere trust anchor, along with the trust anchor / profile / role ARNs. The adapter exchanges the certificate for temporary session credentials via the Roles AnywhereCreateSessionAPI and refreshes them automatically before expiry. The AWS credentials in use are always short-lived, the certificate is revocable and expiring, and no permanent IAM user is needed.Configuration
New optional
roles_anywhereblock on the three adapter configs, mutually exclusive withaccess_key/secret_key:PEM values may also be passed on a single line with
\nescapes (convenient for UI/CLI configs). The region and endpoint are derived from the trust anchor ARN, including GovCloud and CN partitions. Existing configs using access keys are unaffected.Implementation notes
CreateSessionuses a SigV4 variant (SigV4-X509) that is deliberately not implemented in any AWS SDK. The officialrolesanywhere-credential-helpercannot be imported as a library without pulling in a cgo PKCS#11 dependency, which would break this repo's cross-compilation (AIX, Solaris, BSDs...). The signing process is small and publicly documented, so it is implemented directly inutils/aws_roles_anywhere.goper the official signing spec, using only the standard library.credentials.Providerinterface with expiry-based auto-refresh (5 minutes before expiration).X-Amz-X509-Chainsigned header for setups where the trust anchor is a root CA and the client cert is issued by an intermediate.Testing
X-Amz-X509, for both RSA and ECDSA keys, including the serial-number credential field and algorithm/key-type match.go build ./...,go vetandgo teston all touched packages pass, plus cross-compile checks foraix/ppc64andwindows/amd64.🤖 Generated with Claude Code
https://claude.ai/code/session_01SiRyZ4DwMZtcpeYWh8oFFx