## Introduction

Returns a set of temporary security credentials for applications/clients who have been authenticated through client credential grants provided by identity provider. Example providers include KeyCloak, Okta etc.

Harshavardhana <******@****.***> 1629336922 -0700

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import logging

import boto3
from boto3.session import Session
from botocore.session import get_session

from client_grants import ClientGrantsCredentialProvider

boto3.set_stream_logger('boto3.resources', logging.DEBUG)

bc_session = get_session()
bc_session.get_component('credential_provider').insert_before(
    'env',
    ClientGrantsCredentialProvider('NZLOOFRSluw9RfIkuHGqfk1HFp4a',

  # from application to upstream provider such as the Google login page
  alwaysShowLoginScreen: false
  # Uncommend the passwordConnector to use a specific connector for password grants
  passwordConnector: local

# Instead of reading from an external storage, use this list of clients.
#
# If this option isn't chosen clients may be added through the gRPC API.
staticClients:
  - id: example-app

allowPrivilegedContainer: false
allowedCapabilities: []
readOnlyRootFilesystem: false
defaultAddCapabilities: []
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
fsGroup:
  type: MustRunAs
  ranges:
  - max: {{ .Values.securityContext.fsGroup }}
    min: {{ .Values.securityContext.fsGroup }}
runAsUser:
  type: MustRunAs
  uid: {{ .Values.securityContext.runAsUser }}
seLinuxContext:
  type: MustRunAs

	AmzFwdStatus                   = "x-amz-fwd-status"
	AmzFwdErrorCode                = "x-amz-fwd-error-code"
	AmzFwdErrorMessage             = "x-amz-fwd-error-message"
	AmzFwdHeaderAcceptRanges       = "x-amz-fwd-header-accept-ranges"
	AmzFwdHeaderCacheControl       = "x-amz-fwd-header-Cache-Control"
	AmzFwdHeaderContentDisposition = "x-amz-fwd-header-Content-Disposition"
	AmzFwdHeaderContentEncoding    = "x-amz-fwd-header-Content-Encoding"

// A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player
// or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
// When clients request content hosted on a particular source domain and that content make requests
// directed towards a domain other than its own, the remote domain needs to host a cross-domain

// they are only defined to be used in this file alone.
type grantee struct {
	XMLNS       string `xml:"xmlns:xsi,attr"`
	XMLXSI      string `xml:"xsi:type,attr"`
	Type        string `xml:"Type"`
	ID          string `xml:"ID,omitempty"`
	DisplayName string `xml:"DisplayName,omitempty"`
	URI         string `xml:"URI,omitempty"`
}

type grant struct {
	Grantee    grantee `xml:"Grantee"`
	Permission string  `xml:"Permission"`
}

                raise CredentialRetrievalError(
                    provider=method,
                    error_msg=message % response.status,
                )

            return parse_grants_response(response.data)

        def parse_grants_response(data):
            """
            Parser for AssumeRoleWithClientGrants response

            :param data: Response data for AssumeRoleWithClientGrants request

Date:   Sat Jun 15 11:27:17 2019 -0700

    [security] Match ${aws:username} exactly instead of prefix match (#7791)

    This PR fixes a security issue where an IAM user based
    on his policy is granted more privileges than restricted
    by the users IAM policy.

    This is due to an issue of prefix based Matcher() function
    which was incorrectly matching prefix based on resource
    prefixes instead of exact match.