-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow sam local invoke
to retrieve account id from current logged in session
#7013
base: develop
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution. This looks good to me overall. I left one small nit-picky comment. Can you also add some unit testing?
Co-authored-by: Daniel Mil <84205762+mildaniel@users.noreply.github.com>
Co-authored-by: Daniel Mil <84205762+mildaniel@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @defenderkev, a few more minor comments.
Co-authored-by: Daniel Mil <84205762+mildaniel@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contributions!
Please check my feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for maintaining this PR thus far, left some pretty minor comments
It looks like the previous CI check failed for linting reasons, can you run |
…ecified has to be a real profile, and always returns an aws_profile value (even if it is `None`)
…tials files exist (e.g. github actions environment)
self._global_parameter_overrides["AWS::AccountId"] = account_id | ||
except (NoCredentialsError, TokenRetrievalError): | ||
LOG.warning("No current session found, using default AWS::AccountId") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this function is ok to error, can you also add a generic exception handling right now? If theres no exception handling here, if an error occurs outside of the 2 defined errors, there is potential for this function to panic the execution
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I caatch these two exceptions because they can be the consequences of
- Not having a
~/.aws/credentials
or~/.aws/config
file - Valid configuration but token is expired
If anything else causes an error, we don't know what's caused it and in my opinion the execution should panic because we don't know how to handle it.
Thoughts? I mean, I'm happy to put in a genericexcept
and continue but I'm not sure if that's what we should do here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might want to consider catching the ClientError
exception here too. Using expired credentials, botocore returns:
botocore.exceptions.ClientError: An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
You had mentioned that other tests start failing once the ClientError
was caught, maybe we could look at fixing those?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lucashuy What I've done is add catching ClientError
to the new method, and patching the new method for the existing tests so it's just a stub; they don't need a live connection so inserting a live account ID is irrelevant. All tests are passing now
I also put back in some definitions of aws_profile
I had taken out of some of those tests. Now the only differences to upstream are the patching of _add_account_id_to_global
and the extra tests for the new code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left one comment about error handling, but otherwise this PR looks good to me
Which issue(s) does this change fix?
#2325
Replaces Pull Request #6568 after feedback from team
Why is this change necessary?
Because currently if you have !Sub xxx${AWS::AccountId}xxx in, for example, a layer definition, SAM uses a default substitution which doesn't reference the correct Account ID
How does it address the issue?
During instantiation of the
InvokeContext
object an attempt is made to retrieve the caller identity from STS. Assuming this succeeds, the account id is put into_global_parameter_overrides
. If a token retrieval error occurs, a warning message is printed and the existing default value is used.What side effects does this change have?
None that I can see
Mandatory Checklist
PRs will only be reviewed after checklist is complete
[n/a] Add input/output type hints to new functions/methods
[n/a ] Write design document if needed (Do I need to write a design document?)
Write/update unit tests
[n/a] Write/update integration tests
[n/a] Write/update functional tests if needed
make pr passes
[n/a] make update-reproducible-reqs if dependencies were changed
Write documentation
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.