Skip to content

Credential caching #1052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
itamarwe opened this issue Jul 12, 2016 · 4 comments · Fixed by #1054
Closed

Credential caching #1052

itamarwe opened this issue Jul 12, 2016 · 4 comments · Fixed by #1054

Comments

@itamarwe
Copy link

itamarwe commented Jul 12, 2016
edited
Loading

I'm using the AWS-SDK with several sets of credentials. I use this code to test if the credentials are correct and if they have the right permissions. I see a strange caching of the credentials when switching between the different credentials.

Here's an example code:

AWS     = require 'aws-sdk'

correctCredentials = '...' #these are correct credentials
wrongCredentials = '...' #these are wrong credentials

s3Correct = new AWS.S3
  credentials: correctCredentials

s3Wrong = new AWS.S3
  credentials: wrongCredentials

params =
  Bucket: 'mybucket'

s3Correct.listObjectsV2 params, (err, data)=>
  if err?
    console.log err
  unless err?
    console.log 'no error'

s3Wrong.listObjectsV2 params, (err, data)=>
  if err?
    console.log err
  unless err?
    console.log 'no error'

On version 2.3.19 of the SDK I get no error on the correct credentials and an error on the wrong credentials, while with version 2.4.6 I get no errors on both.

It seems that while I don't change the awsAccessKeyId, the SDK caches the awsSecretAccessKey.
@chrisradek
Copy link
Contributor

@itamarwe
With version 2.4.0 of the SDK, S3 was updated to use signatureVersion: 'v4' by default, where previously it used signatureVersion: 'v2'. One consequence of this is that the signature used to sign requests is cached by default:
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Config.html#signatureCache-property

The logic that decides whether to use the cache compares the date (YYYY-MM-DD), service, accessKeyId, and region. So, if 2 service clients shared all of the above, they would use the same signature for signing as well.

This looks related to #1020.

The risk of your example happening in a real application should be extremely low since access keys consist of a pair of accessKeyId and secretAccessKey, and would likely be the result of specifically using 2 different credentials where one was incorrectly configured. It's still weird behavior though. I worked on a PR for #1020 that I'll post that will address that as well.

@chrisradek chrisradek mentioned this issue Jul 12, 2016
Merged
@itamarwe
Copy link
Author

@chrisradek The probability of this happening is not extremely low. It is 100% in any application that asks users to enter their AWS credentials. This is a very strange behavior with a very unexpected side-effect and I'm greatful for our automatic testing that discovered it.

It should be made very clear that this caching exists.

Anyway, it seems that I managed to solve the issues by instantiating the service as follows:

s3 = new AWS.S3
  credentials: credentials
  signatureCache: false

Thanks.

@chrisradek
Copy link
Contributor

@itamarwe
PR #1054 was created that will prevent 2 service clients from sharing a cache. We'll be working to merge this soon.

@chrisradek chrisradek added the Bug label Jul 18, 2016
chrisradek added a commit that referenced this issue Jul 19, 2016
@chrisradek
Tag release v2.4.8
466490f 
References:
  #1020, #1045, #1048, #1052, #1054, #1059
LiuJoyceC added a commit that referenced this issue Jul 26, 2016
@LiuJoyceC
Tag release v2.4.10
155bf58 
References:
  #1020, #1045, #1048, #1052, #1054, #1057, #1058, #1059,
  #1067
LiuJoyceC added a commit that referenced this issue Jul 29, 2016
@LiuJoyceC
Tag release v2.4.11
11c8d80 
References:
  #1020, #1045, #1048, #1052, #1054, #1057, #1058, #1059,
  #1067, #1074, #1077
@lock
Copy link

lock bot commented Sep 28, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@lock lock bot locked as resolved and limited conversation to collaborators Sep 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes issue where 2 clients from the same service would share a signature cache.
2 participants
@itamarwe @chrisradek