Update presign interceptors to resolve auth scheme directly instead of reading SELECTED_AUTH_SCHEME#6930
Conversation
…f reading SELECTED_AUTH_SCHEME
S-Saranya1
force-pushed
the
somepal/update-presign-interceptors-to-resolve-auth-scheme
branch
from
b460b0b to
84305bb
Compare
| } | ||
|
|
||
| /** | ||
| * Resolves the auth scheme for presigning. After the pipeline refactoring, SELECTED_AUTH_SCHEME may not be set |
There was a problem hiding this comment.
Nit - This comment is useful for reviewing this PR, but long term we'll forget what the "pipeline refactoring" is. I think we can just shorten to describe what this is doing
| private SelectedAuthScheme<? extends Identity> resolveAuthScheme(SdkRequest request, | ||
| ExecutionAttributes executionAttributes) { | ||
| AuthSchemeOptionsResolver optionsResolver = | ||
| executionAttributes.getAttribute(SdkInternalExecutionAttribute.AUTH_SCHEME_OPTIONS_RESOLVER); |
There was a problem hiding this comment.
I can never remember how our presigning works and whether request level overrides can be used or not.... but are they handled correctly?
I think in AuthSchemeResolutionStage.updateIdentityProvidersIfNeeded we do a check for the IDENTITY_PROVIDER_UPDATER for request level overrides that I don't think is handled here.
There was a problem hiding this comment.
Good point! yes, request level overrides need to be respected here. Updated the logic to use IDENTITY_PROVIDER_UPDATER before selecting the auth scheme.
S-Saranya1
merged commit 413b425
into
feature/master/core-interceptors-migration
|
This pull request has been closed and the conversation has been locked. Comments on closed PRs are hard for our team to see. If you need more assistance, please open a new issue that references this one. |
2 participants
Motivation and Context
The RDS, Neptune, DocDB, and EC2 presign interceptors generate presigned URLs for cross-region operations. To do this, they need a signer and credentials from the resolved auth scheme.
Previously, these interceptors read SELECTED_AUTH_SCHEME from execution attributes in modifyHttpRequest. This worked because the generated AuthSchemeInterceptor resolved the auth scheme in beforeExecution, which ran before modifyHttpRequest.
After moving auth scheme resolution to a pipeline stage (#6755), the real resolution now happens in AuthSchemeResolutionStage, which runs after all interceptors.
Modifications
Updated the presign interceptors to resolve the auth scheme by calling
AuthSchemeResolver.selectAuthScheme()directly. The inputs needed for resolution (AUTH_SCHEME_OPTIONS_RESOLVER, AUTH_SCHEMES, IDENTITY_PROVIDERS) are already available in execution attributes at interceptor time.This produces the same result as the pipeline stage would.
Testing
Verified with existing presign tests across all four services
Screenshots (if appropriate)
Types of changes
Checklist
mvn installsucceedsscripts/new-changescript and following the instructions. Commit the new file created by the script in.changes/next-releasewith your changes.License