Skip to content

fix: Name of special header for AWS credential #946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amanda-tarafa merged 4 commits into from
Oct 17, 2025
Merged

fix: Name of special header for AWS credential #946

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a6245ce
fix: Name of special header for AWS credential
amanda-tarafa Sep 27, 2022
e5dab2e
fix: Signed headers list in AWS example
amanda-tarafa Sep 27, 2022
f4b6511
fix: IMDSV2 token should only be fetched if needed
amanda-tarafa Sep 30, 2022
e68b520
chore: Update changelog
amanda-tarafa Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions aip/auth/4117.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,9 @@ The auth libraries and applications **must** follow the steps below:
**imdsv2_session_token_url** fields if they are provided. The host should
either be **169.254.169.254** or **fd00:ec2::254**.
- If **imdsv2_session_token_url** is available, then fetch session token
from **imdsv2_session_token_url**.
from **imdsv2_session_token_url**. Note: only perform this step if you
Comment thread
noahdietz marked this conversation as resolved.
need to communicate with the metadata server to fetch the region and/or
the security credentials
- Check the environment variables in the following order (`AWS_REGION` and
then the `AWS_DEFAULT_REGION`) to determine the AWS region. If found, skip
using the AWS metadata server to determine this value.
Expand Down Expand Up @@ -277,7 +279,7 @@ The auth libraries and applications **must** follow the steps below:
"key": "x-amz-date"
},
{
"value": "AWS4-HMAC-SHA256 Credential=AKIASOZTBDV4D7ABCDEDF/20200228/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-date,Signature=abcedefdfedfd",
"value": "AWS4-HMAC-SHA256 Credential=AKIASOZTBDV4D7ABCDEDF/20200228/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token;x-goog-cloud-target-resource, Signature=abcedefdfedfd",
"key": "Authorization"
},
{
Expand All @@ -293,7 +295,7 @@ The auth libraries and applications **must** follow the steps below:
"body": ""
}
```
For the AWS token, STS requires a special header `x-goog-cloud-endpoint` to recognize that the token is for a specific workload identity provider.
For the AWS token, STS requires a special header `x-goog-cloud-target-resource` to recognize that the token is for a specific workload identity provider.

### Determining the subject token in Microsoft Azure and URL-sourced credentials

Expand Down Expand Up @@ -531,6 +533,7 @@ The auth libraries and applications **must** follow the steps below:

## Changelog

- **2025-10-17**: Corrections in specification and examples for External Account Credentials (AIP 4117).
- **2021-12-10**: Add AIP for External Account Credentials (AIP 4117).
- **2022-05-18**: Document executable-sourced credentials (AIP 4117).
- **2022-08-31**: Document configurable token lifetime (AIP 4117).
Expand Down