From d2aef5c27e39efc79d273412baa0b033ed06ae17 Mon Sep 17 00:00:00 2001
From: Chuan Ren <chuanr@google.com>
Date: Mon, 14 Dec 2020 15:09:59 -0800
Subject: [PATCH] Fix and improvements to aws creds

---
 .../aws_external_account_credentials.cc       | 20 +++++++++++--------
 .../aws_external_account_credentials.h        |  2 ++
 test/core/security/credentials_test.cc        |  4 ++--
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/src/core/lib/security/credentials/external/aws_external_account_credentials.cc b/src/core/lib/security/credentials/external/aws_external_account_credentials.cc
index 01c7b005ce5..64effa938fa 100644
--- a/src/core/lib/security/credentials/external/aws_external_account_credentials.cc
+++ b/src/core/lib/security/credentials/external/aws_external_account_credentials.cc
@@ -71,6 +71,7 @@ AwsExternalAccountCredentials::AwsExternalAccountCredentials(
     ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
     grpc_error** error)
     : ExternalAccountCredentials(options, std::move(scopes)) {
+  audience_ = options.audience;
   auto it = options.credential_source.object_value().find("environment_id");
   if (it == options.credential_source.object_value().end()) {
     *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
@@ -237,7 +238,7 @@ void AwsExternalAccountCredentials::OnRetrieveRoleNameInternal(
     FinishRetrieveSubjectToken("", error);
     return;
   }
-  role_name_ = std::string(ctx_->response.body);
+  role_name_ = std::string(ctx_->response.body, ctx_->response.body_length);
   RetrieveSigningKeys();
 }
 
@@ -310,31 +311,31 @@ void AwsExternalAccountCredentials::OnRetrieveSigningKeysInternal(
     GRPC_ERROR_UNREF(error);
     return;
   }
-  auto it = json.object_value().find("access_key_id");
+  auto it = json.object_value().find("AccessKeyId");
   if (it != json.object_value().end() &&
       it->second.type() == Json::Type::STRING) {
     access_key_id_ = it->second.string_value();
   } else {
     FinishRetrieveSubjectToken(
         "", GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-                absl::StrFormat("Missing or invalid access_key_id in %s.",
+                absl::StrFormat("Missing or invalid AccessKeyId in %s.",
                                 response_body)
                     .c_str()));
     return;
   }
-  it = json.object_value().find("secret_access_key");
+  it = json.object_value().find("SecretAccessKey");
   if (it != json.object_value().end() &&
       it->second.type() == Json::Type::STRING) {
     secret_access_key_ = it->second.string_value();
   } else {
     FinishRetrieveSubjectToken(
         "", GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-                absl::StrFormat("Missing or invalid secret_access_key in %s.",
+                absl::StrFormat("Missing or invalid SecretAccessKey in %s.",
                                 response_body)
                     .c_str()));
     return;
   }
-  it = json.object_value().find("token");
+  it = json.object_value().find("Token");
   if (it != json.object_value().end() &&
       it->second.type() == Json::Type::STRING) {
     token_ = it->second.string_value();
@@ -342,7 +343,7 @@ void AwsExternalAccountCredentials::OnRetrieveSigningKeysInternal(
     FinishRetrieveSubjectToken(
         "",
         GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-            absl::StrFormat("Missing or invalid token in %s.", response_body)
+            absl::StrFormat("Missing or invalid Token in %s.", response_body)
                 .c_str()));
     return;
   }
@@ -383,9 +384,12 @@ void AwsExternalAccountCredentials::BuildSubjectToken() {
   headers.push_back(Json({{"key", "host"}, {"value", signed_headers["host"]}}));
   headers.push_back(
       Json({{"key", "x-amz-date"}, {"value", signed_headers["x-amz-date"]}}));
+  headers.push_back(Json({{"key", "x-amz-security-token"},
+                          {"value", signed_headers["x-amz-security-token"]}}));
+  headers.push_back(
+      Json({{"key", "x-goog-cloud-target-resource"}, {"value", audience_}}));
   Json::Object object{{"url", Json(cred_verification_url_)},
                       {"method", Json("POST")},
-                      {"body", Json("")},
                       {"headers", Json(headers)}};
   Json subject_token_json(object);
   std::string subject_token = UrlEncode(subject_token_json.Dump());
diff --git a/src/core/lib/security/credentials/external/aws_external_account_credentials.h b/src/core/lib/security/credentials/external/aws_external_account_credentials.h
index 306ee33c633..7e5bea2486f 100644
--- a/src/core/lib/security/credentials/external/aws_external_account_credentials.h
+++ b/src/core/lib/security/credentials/external/aws_external_account_credentials.h
@@ -55,6 +55,8 @@ class AwsExternalAccountCredentials final : public ExternalAccountCredentials {
   void BuildSubjectToken();
   void FinishRetrieveSubjectToken(std::string subject_token, grpc_error* error);
 
+  std::string audience_;
+
   // Fields of credential source
   std::string region_url_;
   std::string url_;
diff --git a/test/core/security/credentials_test.cc b/test/core/security/credentials_test.cc
index 04a118a3c02..dadc14caac6 100644
--- a/test/core/security/credentials_test.cc
+++ b/test/core/security/credentials_test.cc
@@ -178,8 +178,8 @@ static const char
 
 static const char
     valid_aws_external_account_creds_retrieve_signing_keys_response[] =
-        "{\"access_key_id\":\"test_access_key_id\",\"secret_access_key\":"
-        "\"test_secret_access_key\",\"token\":\"test_token\"}";
+        "{\"AccessKeyId\":\"test_access_key_id\",\"SecretAccessKey\":"
+        "\"test_secret_access_key\",\"Token\":\"test_token\"}";
 
 static const char valid_aws_external_account_creds_options_credential_source[] =
     "{\"environment_id\":\"aws1\","