Describe the bug
According to the SDK Container Credentials Documentation the AWS_CONTAINER_CREDENTIALS_FULL_URI can be used to set "...the full HTTP URL endpoint for the SDK to use when making a request for credentials. This includes both the scheme and the host...".
It doesn't state any limitations that the host can only be 'localhost'.
When using the Amazon ECS Local Container Endpoints(LCE) in a Docker Compose setup the app containing the SDK should be able to reach the LCE container (preferably by host name e.g. "awsecslocalendpoints").
Expected Behavior
The AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable should accept any host.
Current Behavior
The following debug message is logged:
The full URI (http://awsecslocalendpoints/role/MyRole) contained withing environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI has an invalid host. Host can only be one of [localhost, 127.0.0.1]
Reproduction Steps
docker-compose.yml
version: '3.7'
services:
MyApp:
build:
context: .
dockerfile: app/Dockerfile
depends_on:
- AwsEcsLocalEndpoints
environment:
AWS_CONTAINER_CREDENTIALS_FULL_URI: http://awsecslocalendpoints/role/MyRole
networks:
- dev
AwsEcsLocalEndpoints:
image: public.ecr.aws/ecs-local/amazon-ecs-local-container-endpoints:1.4.1-amd64
volumes:
- /var/run:/var/run
- ~/.aws:/home/.aws
environment:
HOME: "/home"
AWS_PROFILE: MyProfile
networks:
- dev
networks:
dev:
driver: bridge
name: dev
Possible Solution
Remove the "ALLOWED_FULL_URI_HOSTS" check in https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/ContainerCredentialsProvider.java#L118
Additional Information/Context
The main point of this issue is to determine if there is any need to limit the AWS_CONTAINER_CREDENTIALS_FULL_URI since I can't see any.
If an attacker would have access to set the AWS_CONTAINER_CREDENTIALS_FULL_URI they could also set any other env var, including the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, therefore limiting the full URI seems to pose an unnecessary limitation.
AWS Java SDK version used
1.12.372
JDK version used
openjdk version "13.0.2" 2020-01-14
Operating System and version
Fedora 7.7
Describe the bug
According to the SDK Container Credentials Documentation the
AWS_CONTAINER_CREDENTIALS_FULL_URIcan be used to set "...the full HTTP URL endpoint for the SDK to use when making a request for credentials. This includes both the scheme and the host...".It doesn't state any limitations that the host can only be 'localhost'.
When using the Amazon ECS Local Container Endpoints(LCE) in a Docker Compose setup the app containing the SDK should be able to reach the LCE container (preferably by host name e.g. "awsecslocalendpoints").
Expected Behavior
The
AWS_CONTAINER_CREDENTIALS_FULL_URIenvironment variable should accept any host.Current Behavior
The following debug message is logged:
Reproduction Steps
docker-compose.yml
Possible Solution
Remove the "ALLOWED_FULL_URI_HOSTS" check in https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/ContainerCredentialsProvider.java#L118
Additional Information/Context
The main point of this issue is to determine if there is any need to limit the
AWS_CONTAINER_CREDENTIALS_FULL_URIsince I can't see any.If an attacker would have access to set the
AWS_CONTAINER_CREDENTIALS_FULL_URIthey could also set any other env var, including theAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY, therefore limiting the full URI seems to pose an unnecessary limitation.AWS Java SDK version used
1.12.372
JDK version used
openjdk version "13.0.2" 2020-01-14
Operating System and version
Fedora 7.7