Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings
This repository was archived by the owner on Mar 6, 2026. It is now read-only.

Commit 97bfea9

Browse filesBrowse files
chalmerlowechalmerlowe
authored
fix: removes content-header from AWS IMDS get request (#1934)
When performing a IMDS request, the code incorrectly adds a content-type header to the request: `content-type: application/json` to AWS metadata (IMDS) GET requests.` Some services at AWS (such as AWS SageMaker Jupyter notebook) have a stricter than normal metadata server (IMDS, both v1 and v2) when it comes to handling incoming http requests. This PR removes the default content-header and replaces it with `None`. NOTE: initializing headers to `None` (instead of an empty `dict`) when no session token is present matches the existing behavior in `_get_metadata_role_name` and allows the transport adapter to handle default headers cleanly. This PR updates existing unit tests (`tests/test_aws.py`) to match the new behavior. NOTE: closing PR #1489 due to inactivity as we make the push to migrate this library to the `google-cloud-python` monorepo For more information about the genesis of this, see the following issue: https://issuetracker.google.com/issues/328089077
1 parent 35670fc commit 97bfea9
Copy full SHA for 97bfea9

2 files changed

+5-10Lines changed: 5 additions & 10 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎google/auth/aws.py‎

Copy file name to clipboardExpand all lines: google/auth/aws.py
+3-2Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -530,9 +530,10 @@ def _get_metadata_security_credentials(
530530
google.auth.exceptions.RefreshError: If an error occurs while
531531
retrieving the AWS security credentials.
532532
"""
533-
headers = {"Content-Type": "application/json"}
534533
if imdsv2_session_token is not None:
535-
headers["X-aws-ec2-metadata-token"] = imdsv2_session_token
534+
headers = {"X-aws-ec2-metadata-token": imdsv2_session_token}
535+
else:
536+
headers = None
536537

537538
response = request(
538539
url="{}/{}".format(self._security_credentials_url, role_name),
Collapse file

‎tests/test_aws.py‎

Copy file name to clipboardExpand all lines: tests/test_aws.py
+2-8Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1306,7 +1306,7 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars(
13061306
self.assert_aws_metadata_request_kwargs(
13071307
request.call_args_list[2][1],
13081308
"{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
1309-
{"Content-Type": "application/json"},
1309+
None,
13101310
)
13111311

13121312
# Retrieve subject_token again. Region should not be queried again.
@@ -1329,7 +1329,7 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars(
13291329
self.assert_aws_metadata_request_kwargs(
13301330
new_request.call_args_list[1][1],
13311331
"{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
1332-
{"Content-Type": "application/json"},
1332+
None,
13331333
)
13341334

13351335
@mock.patch("google.auth._helpers.utcnow")
@@ -1394,7 +1394,6 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars_idmsv2(
13941394
request.call_args_list[4][1],
13951395
"{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
13961396
{
1397-
"Content-Type": "application/json",
13981397
"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
13991398
},
14001399
)
@@ -1431,7 +1430,6 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars_idmsv2(
14311430
new_request.call_args_list[2][1],
14321431
"{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
14331432
{
1434-
"Content-Type": "application/json",
14351433
"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
14361434
},
14371435
)
@@ -1488,7 +1486,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_secr
14881486
request.call_args_list[2][1],
14891487
"{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
14901488
{
1491-
"Content-Type": "application/json",
14921489
"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
14931490
},
14941491
)
@@ -1545,7 +1542,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_acce
15451542
request.call_args_list[2][1],
15461543
"{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
15471544
{
1548-
"Content-Type": "application/json",
15491545
"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
15501546
},
15511547
)
@@ -1596,7 +1592,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_cred
15961592
request.call_args_list[2][1],
15971593
"{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
15981594
{
1599-
"Content-Type": "application/json",
16001595
"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
16011596
},
16021597
)
@@ -1684,7 +1679,6 @@ def test_retrieve_subject_token_success_ipv6(self, utcnow):
16841679
request.call_args_list[4][1],
16851680
"{}/{}".format(SECURITY_CREDS_URL_IPV6, self.AWS_ROLE),
16861681
{
1687-
"Content-Type": "application/json",
16881682
"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
16891683
},
16901684
)

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.