Add Functionality to Send Unsigned Requests to AWS for Auditing
dillonrg opened this issue · comments
Bug
When running the local auditor against a publicly visible S3 bucket, we can run into failures due to credentials not existing despite the fact that they are not needed:
dillon@dillon-mbp ~/o/akd> cargo run -p akd_local_auditor -- s3 --bucket kt-audit-proofs-integration --region us-east-2 main
warning: profiles for the non root package will be ignored, specify profiles at the workspace root:
package: /Users/dillon/oss/akd/akd_core/Cargo.toml
workspace: /Users/dillon/oss/akd/Cargo.toml
warning: profiles for the non root package will be ignored, specify profiles at the workspace root:
package: /Users/dillon/oss/akd/akd_client/Cargo.toml
workspace: /Users/dillon/oss/akd/Cargo.toml
Finished dev [unoptimized + debuginfo] target(s) in 5.61s
Running `target/debug/akd_local_auditor s3 --bucket kt-audit-proofs-integration --region us-east-2`
$ audit --epoch 1
[00:00:03.982] INFO load_region; provider=Region("us-east-2") (region:43)
[00:00:04.169] INFO send_operation; (parse_response:95)
[00:00:04.169] INFO send_operation; operation="ListObjectsV2" (parse_response:95)
[00:00:04.169] INFO send_operation; service="s3" (parse_response:95)
[00:00:04.169] INFO provide_credentials; provider=default_chain (credentials:73)
[00:00:04.170] INFO send_operation; (parse_response:95)
[00:00:04.170] INFO send_operation; operation="get" (parse_response:95)
[00:00:04.170] INFO send_operation; service="imds" (parse_response:95)
[00:00:04.170] INFO send_operation; (parse_response:95)
[00:00:04.170] INFO send_operation; operation="get-token" (parse_response:95)
[00:00:04.170] INFO send_operation; service="imds" (parse_response:95)
[00:00:05.174] INFO send_operation; status="dispatch_failure" (parse_response:95)
[00:00:05.174] INFO send_operation; message=timeout: error trying to connect: HTTP connect timeout occurred after 1s (parse_response:95)
[00:00:05.174] INFO send_operation; status="construction_failure" (parse_response:95)
[00:00:05.174] INFO send_operation; message=Failed to load session token: timeout: error trying to connect: HTTP connect timeout occurred after 1s (parse_response:95)
[00:00:05.174] INFO provider returned CredentialsNotLoaded, ignoring (auth:53)
[00:00:05.175] INFO send_operation; status="construction_failure" (parse_response:95)
[00:00:05.175] INFO send_operation; message=No credentials in the property bag (parse_response:95)
Error: Error executing list_objects_v2 in S3: failed to construct request: No credentials in the property bag
Goal
Without any AWS credentials, a request to audit information stored in S3 may fail. In order to make anonymous requests to AWS, we should evaluate a means of sending an "anonymous" request to S3 to read its data.
For reference, please see awslabs/aws-sdk-rust#425.
Addressed in #380