Skip to content

AWS_CONTAINER_CREDENTIALS_FULL_URI only accepts localhost #2898

Description

@rhertogh

Describe the bug

According to the SDK Container Credentials Documentation the AWS_CONTAINER_CREDENTIALS_FULL_URI can be used to set "...the full HTTP URL endpoint for the SDK to use when making a request for credentials. This includes both the scheme and the host...".
It doesn't state any limitations that the host can only be 'localhost'.

When using the Amazon ECS Local Container Endpoints(LCE) in a Docker Compose setup the app containing the SDK should be able to reach the LCE container (preferably by host name e.g. "awsecslocalendpoints").

Expected Behavior

The AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable should accept any host.

Current Behavior

The following debug message is logged:

The full URI (http://awsecslocalendpoints/role/MyRole) contained withing environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI has an invalid host. Host can only be one of [localhost, 127.0.0.1]

Reproduction Steps

docker-compose.yml

version: '3.7'
services:

  MyApp:
    build:
      context: .
      dockerfile: app/Dockerfile
    depends_on:
      - AwsEcsLocalEndpoints
    environment:
      AWS_CONTAINER_CREDENTIALS_FULL_URI: http://awsecslocalendpoints/role/MyRole
    networks:
      - dev

  AwsEcsLocalEndpoints:
    image: public.ecr.aws/ecs-local/amazon-ecs-local-container-endpoints:1.4.1-amd64
    volumes:
      - /var/run:/var/run
      - ~/.aws:/home/.aws
    environment:
      HOME: "/home"
      AWS_PROFILE: MyProfile
    networks:
      - dev

networks:
  dev:
    driver: bridge
    name: dev

Possible Solution

Remove the "ALLOWED_FULL_URI_HOSTS" check in https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/ContainerCredentialsProvider.java#L118

Additional Information/Context

The main point of this issue is to determine if there is any need to limit the AWS_CONTAINER_CREDENTIALS_FULL_URI since I can't see any.
If an attacker would have access to set the AWS_CONTAINER_CREDENTIALS_FULL_URI they could also set any other env var, including the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, therefore limiting the full URI seems to pose an unnecessary limitation.

AWS Java SDK version used

1.12.372

JDK version used

openjdk version "13.0.2" 2020-01-14

Operating System and version

Fedora 7.7

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions