From 9109a6b8e2e6fbcd7b2efe7e2dd35f9e0773240a Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Mon, 11 Mar 2024 14:05:15 -0400
Subject: [PATCH] [PM-6116] Update AWS key service to handle authentication
 with instance metadata (#117)

* Updated constructor of AWS service client to test using instance metadata

* Added check to handle instance metadata only if configuration isn't supplied.
---
 .../Services/AwsKmsRsaKeyService.cs             | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/KeyConnector/Services/AwsKmsRsaKeyService.cs b/src/KeyConnector/Services/AwsKmsRsaKeyService.cs
index 8b28026..d7c89e4 100644
--- a/src/KeyConnector/Services/AwsKmsRsaKeyService.cs
+++ b/src/KeyConnector/Services/AwsKmsRsaKeyService.cs
@@ -17,8 +17,21 @@ namespace Bit.KeyConnector.Services
             KeyConnectorSettings settings)
         {
             _settings = settings;
-            _kmsClient = new AmazonKeyManagementServiceClient(settings.RsaKey.AwsAccessKeyId,
-                settings.RsaKey.AwsAccessKeySecret, RegionEndpoint.GetBySystemName(settings.RsaKey.AwsRegion));
+            if(UseInstanceMetadataForCredentials())
+            {
+                _kmsClient = new AmazonKeyManagementServiceClient(RegionEndpoint.GetBySystemName(settings.RsaKey.AwsRegion));
+            } else {
+                _kmsClient = new AmazonKeyManagementServiceClient(settings.RsaKey.AwsAccessKeyId, settings.RsaKey.AwsAccessKeySecret, RegionEndpoint.GetBySystemName(settings.RsaKey.AwsRegion));
+            }
+        }
+
+        /// <summary>
+        /// AWS will default to use the instance metadata for credentials if we initialize the client without credentials, per their documentation here: https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html.
+        /// We will infer that we should use the instance metadata if the AwsAccessKeyId and AwsAccessKeySecret are not set in the Key Connector configuration.
+        /// </summary>
+        private bool UseInstanceMetadataForCredentials()
+        {
+            return string.IsNullOrWhiteSpace(_settings.RsaKey.AwsAccessKeyId) && string.IsNullOrWhiteSpace(_settings.RsaKey.AwsAccessKeySecret);
         }
 
         public async Task<byte[]> EncryptAsync(byte[] data)