Skip to content

[10.x] Do not add token to AWS credentials without validating it first #48297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 5, 2023
Merged

[10.x] Do not add token to AWS credentials without validating it first #48297

merged 2 commits into from
Sep 5, 2023

Conversation

@mmehmet
Copy link
Contributor

@mmehmet mmehmet commented Sep 5, 2023
edited
Loading

In the CacheManager and FilesystemManager the config that is used to instantiate a new AWS client checks for key and secret values within provided array, before adding those to the credentials element of the config. Unfortunately it also adds a token value, without a similar validation - which can lead to including a blank token value unnecessarily.

Worse still, including a blank token value within that config's credentials array can cause requests using these clients to fail - producing errors such as this when using a DynamoDbClient (which extends the AwsClient) created by a CacheManager that has included such a blank token value:

UnrecognizedClientException (client): The security token included in the request is invalid. - {
    "__type": "com.amazon.coral.service#UnrecognizedClientException",
    "message": "The security token included in the request is invalid."
} {"exception":"[object] (Aws\\DynamoDb\\Exception\\DynamoDbException(code: 0): Error executing \"PutItem\" on \"https://dynamodb.ap-southeast-2.amazonaws.com\"; AWS HTTP error: Client error: `POST https://dynamodb.ap-southeast-2.amazonaws.com` resulted in a `400 Bad Request` response:
{\"__type\":\"com.amazon.coral.service#UnrecognizedClientException\",\"message\":\"The security token included in the request i (truncated...)
UnrecognizedClientException (client): The security token included in the request is invalid. - {\"__type\":\"com.amazon.coral.service#UnrecognizedClientException\",\"message\":\"The security token included in the request is invalid.\"} at /var/task/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php:195)
[stacktrace]

Not including a (blank) token value in the config fixes this problem.

Michael Mehmet added 2 commits September 5, 2023 09:21
Remove token from config options when making a new DynamoDB client - …
cb7706c 
…including this creates an error with the `AwsClient` (which `DynamoDbClient` extends) in recent versions of the AWS PHP SDK:

```Invalid configuration value provided for "token"...```
Do not add token value to the credentials array element _unless i…
e65c5fc 
…t was already present_ within the config.

Adding a blank `token` value into this array element - simply because two other values (`key` and `secret`) happened to be found within the config - can break the `AwsClient`/`S3Client` being built by these managers.

It is also cleaner to have a separate check for this `token` value - rather than assume that because you found two other values, you may as well go ahead and add this third value into the mix too, without having validated it first.
@crynobone crynobone changed the title Do not add token to AWS credentials without validating it first [10.x] Do not add token to AWS credentials without validating it first Sep 5, 2023
@joedixon
Copy link
Contributor

joedixon commented Sep 5, 2023

Thanks @mmehmet - we only need to ensure token is removed from the top-level array as per the pull request you linked recently.

If you don't want to send a token with the credentials array, then you can remove it from your config file. It's not something that ships with the default config so is only an issue if you are updating it.

@taylorotwell taylorotwell merged commit 909ea24 into laravel:10.x Sep 5, 2023
@edcheyjr edcheyjr mentioned this pull request Sep 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joedixon joedixon Awaiting requested review from joedixon

@nunomaduro nunomaduro Awaiting requested review from nunomaduro

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mmehmet @joedixon @taylorotwell