huanld/tailscale-custom
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases 2 Wiki Activity

wif: add AWS ecs for autogenerated OIDC tokens

Browse Source 
Adds the ability to detect when running on AWS ECS and fetch tokens from
the ECS metadata endpoints in addition to IMDSv2

Fixes #18909

Signed-off-by: Patrick Guinard <patrick@public.com>
This commit is contained in:
Patrick Guinard
2026-03-05 14:58:14 -07:00
committed by Mario Minardi
parent 33da8a8d68
commit 18983eca66
1 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
wif/wif.go
+14 -7
View File
@@ -40,7 +40,8 @@ const (
// 1. GitHub Actions (strongest env signals; may run atop any cloud) // 1. GitHub Actions (strongest env signals; may run atop any cloud)
// 2. AWS via IMDSv2 token endpoint (does not require env vars) // 2. AWS via IMDSv2 token endpoint (does not require env vars)
// 3. GCP via metadata header semantics // 3. GCP via metadata header semantics
// 4. Azure via metadata endpoint // 4. AWS ECS via ECS token endpoint and env vars provided by ECS
// 5. Azure via metadata endpoint
func ObtainProviderToken(ctx context.Context, audience string) (string, error) { func ObtainProviderToken(ctx context.Context, audience string) (string, error) {
env := detectEnvironment(ctx) env := detectEnvironment(ctx)
@@ -69,6 +70,9 @@ func detectEnvironment(ctx context.Context) Environment {
if detectGCPMetadata(ctx, client) { if detectGCPMetadata(ctx, client) {
return EnvGCP return EnvGCP
} }
if os.Getenv("ECS_CONTAINER_METADATA_URI_V4") != "" {
return EnvAWS
}
return EnvNone return EnvNone
} }
@@ -163,7 +167,7 @@ func acquireGitHubActionsIDToken(ctx context.Context, audience string) (string,
} }
func acquireAWSWebIdentityToken(ctx context.Context, audience string) (string, error) { func acquireAWSWebIdentityToken(ctx context.Context, audience string) (string, error) {
// LoadDefaultConfig wires up the default credential chain (incl. IMDS). // LoadDefaultConfig wires up the default credential chain (incl. IMDS and ECS metadata).
cfg, err := config.LoadDefaultConfig(ctx) cfg, err := config.LoadDefaultConfig(ctx)
if err != nil { if err != nil {
return "", fmt.Errorf("load aws config: %w", err) return "", fmt.Errorf("load aws config: %w", err)
@@ -174,12 +178,15 @@ func acquireAWSWebIdentityToken(ctx context.Context, audience string) (string, e
return "", fmt.Errorf("AWS credentials unavailable (instance profile/IMDS?): %w", err) return "", fmt.Errorf("AWS credentials unavailable (instance profile/IMDS?): %w", err)
} }
imdsClient := imds.NewFromConfig(cfg) // ECS does not have IMDS; region must come from AWS_DEFAULT_REGION or AWS_REGION,
region, err := imdsClient.GetRegion(ctx, &imds.GetRegionInput{}) if cfg.Region == "" {
if err != nil { imdsClient := imds.NewFromConfig(cfg)
return "", fmt.Errorf("couldn't get AWS region: %w", err) region, err := imdsClient.GetRegion(ctx, &imds.GetRegionInput{})
if err != nil {
return "", fmt.Errorf("couldn't get AWS region: %w", err)
}
cfg.Region = region.Region
} }
cfg.Region = region.Region
stsClient := sts.NewFromConfig(cfg) stsClient := sts.NewFromConfig(cfg)
in := &sts.GetWebIdentityTokenInput{ in := &sts.GetWebIdentityTokenInput{