'ClientConfig.DetermineServiceURL()' is obsolete, How to use "the newer system" with a Signing Request?

[gitisz]

I'm looking to sign a request using the current IAM role assigned to an ECS Task. The request is intended as an argument for VaultSharp, to authenticate and retrieve secrets based on a Vault Role ID. Seems I am successful logging in, but not so with retrieving secrets or authorized roles. Before taking this to HashiCorp or VaultSharp, I wanted to ensure my signing request is accurate.

One thing I see is amazonSecurityTokenServiceConfig.DetermineServiceURL() is marked as obsolete. The notes state:

'ClientConfig.DetermineServiceURL()' is obsolete: 'This operation is obsoleted because as of version 3.7.100 endpoint is resolved using a newer system that uses request level parameters to resolve the endpoint.'

Given the signing request below, how might I use "the newer system"?

Signing Request:

    public async Task<string> GetEncodedIamRequestHeaders(AWSOptions? awsOptions)
    {
        var amazonSecurityTokenServiceConfig = new AmazonSecurityTokenServiceConfig();

        var credentials = await CreateIAMCredentialsAsync(_logger, null);
        var token = credentials.Token;
        var accessKey = credentials.AccessKey;
        var secretKey = credentials.SecretKey;
        var endpoint = amazonSecurityTokenServiceConfig.DetermineServiceURL();

        _logger.Debug($"Credential retrieved: {(!string.IsNullOrEmpty(token) && !string.IsNullOrEmpty(accessKey)  && !string.IsNullOrEmpty(secretKey) )}");

        // Construct the IAM Request and add necessary headers
        var iamRequest = GetCallerIdentityRequestMarshaller.Instance.Marshall(new GetCallerIdentityRequest());
        iamRequest.Endpoint = new Uri(endpoint);
        iamRequest.Headers.Add("X-Vault-AWS-IAM-Server-ID", "https://url-to-vault");
        iamRequest.Headers.Add("X-Amz-Security-Token", token);
        iamRequest.Headers.Add("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");

        new AWS4Signer().Sign(iamRequest
            , amazonSecurityTokenServiceConfig
            , new RequestMetrics()
            , accessKey
            , secretKey);
        var iamSTSRequestHeaders = iamRequest.Headers;

        // Convert headers to Base64 encoded version
        return Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonSerializer.Serialize(iamSTSRequestHeaders)));
    }
    
    private static async Task<ImmutableCredentials> CreateIAMCredentialsAsync(Serilog.ILogger logger, AWSOptions? awsOptions)
    {
        if (awsOptions != null)
        {
            if (awsOptions.Credentials != null)
            {
                logger?.Information("Using AWS credentials specified with the AWSOptions.Credentials property");

                return await awsOptions.Credentials.GetCredentialsAsync();
            }

            if (!string.IsNullOrEmpty(awsOptions.Profile))
            {
                var chain = new CredentialProfileStoreChain(awsOptions.ProfilesLocation);

                AWSCredentials result;

                if (chain.TryGetAWSCredentials(awsOptions.Profile, out result))
                {
                    logger?.Information($"Found AWS credentials for the profile {awsOptions.Profile}");

                    return await result.GetCredentialsAsync();
                }
                else
                {
                    logger?.Information($"Failed to find AWS credentials for the profile {awsOptions.Profile}");
                }
            }
        }

        var credentials = FallbackCredentialsFactory.GetCredentials();

        if (credentials == null)
        {
            logger?.Error("Last effort to find AWS Credentials with AWS SDK's default credential search failed");

            throw new AmazonClientException("Failed to find AWS Credentials for constructing AWS service client");
        }
        else
        {
            logger?.Information("Found credentials using the AWS SDK's default credential search");
        }

        return await credentials.GetCredentialsAsync();
    }

Thanks for taking a moment to assist!

[danielmarbach]

Unfortunately, this is an example of obsoleting something without giving us any guidance on what to do instead. This commit introduced it without providing any guidance on how to resolve it

4547258

We ran into the obsoletion when using CorrectClockSkew.GetClockCorrectionForEndpoint and ended up switching to Config.ClockOffset which internally still uses DetermineServiceURL but now it least this is something the SDK code has to deal with and no longer our obligation

Particular/NServiceBus.AmazonSQS#1909

[ashovlin]

With the 3.7.100 release we introduced a new internal mechanism to resolve endpoints across AWS SDKs.

As AWS services grow the endpoint determination logic for some operations is becoming more complicated, and relying on additional information from the request beyond just the client configuration and region pair.

We're internally exploring how to provide a new method that can resolve an endpoint that does support this additional context, and can update this discussion if and when we come up with something.

[muhammad-othman]

DetermineServiceOperationEndpoint method was added to all the service clients as part of v.3.7.624.0, this can be used to know the endpoint that request will use instead of DetermineServiceURL.

For example:

 var endpoint = amazonSecurityTokenServiceClient.DetermineServiceOperationEndpoint(new GetCallerIdentityRequest());
 var url = endpoint.URL;

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.