Skip to content

Add CloudShell and environment variable credential support #301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add CloudShell and environment variable credential support #301

wants to merge 2 commits into from

Conversation

@dap0am
Copy link

@dap0am dap0am commented Aug 1, 2025

Summary

• Implements CloudShell metadata endpoint support using IMDSv2-like flow at localhost:1338
• Adds support for standard AWS environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)
• Integrates both credential providers into the existing credential chain with comprehensive test coverage

Changes

  • CloudShell support: Token-based authentication flow for CloudShell metadata endpoint
  • Environment variables: Support for AWS credential environment variables with optional session token
  • Testing: 12 new comprehensive tests covering success/failure scenarios for both credential methods
  • Integration: Seamless integration into existing credential provider chain without breaking changes

Test Results

All tests pass (32 total: 20 existing + 12 new)

Test plan

  • Unit tests for CloudShell credential retrieval (success/failure scenarios)
  • Unit tests for environment variable credential retrieval (with/without session token)
  • Integration tests confirming both methods work in the main credential chain
  • Existing tests continue to pass with mock updates
  • Manual testing in development environment

Fixes #285

dap0am added 2 commits August 2, 2025 00:48
@dap0am
Add CloudShell and environment variable credential support
c25e330 
Implements CloudShell metadata endpoint support using IMDSv2-like flow
with token-based authentication at localhost:1338. Also adds support
for standard AWS environment variables (AWS_ACCESS_KEY_ID,
AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).

Both credential providers are integrated into the existing credential
chain with comprehensive test coverage. Addresses issue aws#285.
@dap0am
Fix inline comments to remove possessive language
c70e413
wangnyue
wangnyue reviewed Sep 29, 2025
View reviewed changes
src/mount_efs/__init__.py
AWS_CONTAINER_AUTH_TOKEN_FILE_ENV = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"

# CloudShell credentials endpoint
CLOUDSHELL_METADATA_ENDPOINT = "http://localhost:1338/latest"
Copy link
Contributor

@wangnyue wangnyue Sep 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just quick question: Is this endpoint created on the host and playing as a fake endpoint to get security-credentials ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@wangnyue wangnyue wangnyue left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Better CloudShell credential support

2 participants

@dap0am @wangnyue