[Fix] Upgraded AWS go-sdk to V2 (only for AWS Canary Token Verification)

[abmussani]

Description:

The AWS SDK for Go (aws-sdk-go) has entered maintenance mode, as noted in its README. This PR upgrades the SDK to v2, specifically for verifying AWS Canary tokens.

This upgrade addresses an issue where the previous version intermittently returned signature errors, incorrectly marking valid credentials as unverified.

Note: This upgrade is limited to AWS Canary token verification. The rest of the codebase will continue using the older AWS SDK version.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

[kashifkhan0771]

🚀

[rgmz]

This upgrade addresses an issue where the previous version intermittently returned signature errors, incorrectly marking valid credentials as unverified.

What part of the change fixes this issue?

[abmussani]

This upgrade addresses an issue where the previous version intermittently returned signature errors, incorrectly marking valid credentials as unverified.

What part of the change fixes this issue?

Just migration of aws sdk to v2 and some code in canary.go file

[rgmz]

Just migration of aws sdk to v2 and some code in canary.go file

That was never an issue with the canary flow AFAIk. It was in the normal Access Key / Session Key detector flows.

trufflehog/pkg/detectors/aws/access_keys/accesskey.go

Lines 280 to 284 in f2dc96e

	} else if res.StatusCode == 403 {
	// Experimentation has indicated that if you make two GetCallerIdentity requests within five seconds that
	// share a key ID but are signed with different secrets the second one will be rejected with a 403 that
	// carries a SignatureDoesNotMatch code in its body. This happens even if the second ID-secret pair is
	// valid. Since this is exactly our access pattern, we need to work around it.

[abmussani]

Just migration of aws sdk to v2 and some code in canary.go file

That was never an issue with the canary flow AFAIk. It was in the normal Access Key / Session Key detector flows.

trufflehog/pkg/detectors/aws/access_keys/accesskey.go

Lines 280 to 284 in f2dc96e

	} else if res.StatusCode == 403 {
	// Experimentation has indicated that if you make two GetCallerIdentity requests within five seconds that
	// share a key ID but are signed with different secrets the second one will be rejected with a 403 that
	// carries a SignatureDoesNotMatch code in its body. This happens even if the second ID-secret pair is
	// valid. Since this is exactly our access pattern, we need to work around it.

Some of the customer reported that Live AWS Canary tokens are not being verified. On Debugging, I noted that the old version of SDK was randomly causing signature verification error which got fixed when migrated to V2.

Sorry I misread your comment. Verification of Canary id/secret is the part of access key / session key detector. Few of the customer reported that Live AWS Canary tokens are not being verified which got fixed once I migrated to V2.

[abmussani]

thank you @rgmz for pointing out the usage in access_key.go I should also migrate the code to V2.

[abmussani]

HI @rgmz , Thank you for pointing out that comment. I have replaced that custom API Request code using SDK methods. After that I am not able to reproduce signature related error even using the same Id and multiple secrets with it. Can you do me a favor to review the code and if I have missed any case. TIA 🙇
The new changes includes:

• Use the SDK getCallerIdentity method to verify access key and secret (non-canary).
• Use of custom HTTP Client for better logging.
• Handling of error if Id is invalid. Reason: In SDK, they have change the error text for this case.

Note: AWS SessionKey detector is still using the custom API request method. If these changes are good enough, I can work on that part too.

[abmussani]

@zricethezav I also request you to re-review the updated changes. TIA.

[rgmz]

Suggested change

	return false, nil, fmt.Errorf("request returned unexpected error: %s", err.Error())
	return false, nil, fmt.Errorf("request returned unexpected error: %w", err)

[rgmz]

This upgrade addresses an issue where the previous version intermittently returned signature errors, incorrectly marking valid credentials as unverified.

This does not resolve the mentioned issue. I can easily replicate the intermittent behaviour by taking a valid id+secret pair and adding a secondary invalid secret.

STORAGE_ACCESS_KEY_ID=AKIA...
#STORAGE_ACCESS_KEY_SECRET=...
STORAGE_ACCESS_KEY_SECRET=...

Output:

$ ./trufflehog filesystem /tmp/aws.txt
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

✅ Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
...

$ ./trufflehog filesystem /tmp/aws.txt
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

Found unverified result 🐷🔑❓
Detector Type: AWS
Decoder Type: PLAIN
...

[abmussani]

@rgmz after some experiment, I noted that if SaneHttpClient is used to make calls, AWS returns Invalid Signature issue. But things work as expected if default AWS SDK client is being used. I tried to use the most simple go http.Client but invalid signature is appearing with that as well.

[rgmz]

But things work as expected if default AWS SDK client is being used.

By this do you mean omitting config.WithHTTPClient(s.getClient()),?

[abmussani]

Correct.

Yesterday, I was going through the AWS GO SDK documentation. They have provided a recommended way to customize the AWS HTTP client. Link. Few of the properties are allowed to be modified. I am trying that out.

[abmussani]

Moreover, I noted that SaneHttpClient is modifying two parts via http.Transport layer.

1. Modify connection related properties like KeepAlive or maxIdleConnection etc. These can be override in AWS http client.
2. Customized User-Agent: SDK does not provide any interface to do that directly view Http Client. The recommended way to override the agent is using the AWS Middleware. Which is not part of the HTTP client.

From documentation perspective, Both of the modification is doable via AWS SDK. I need to try out to see the results.

[abmussani]

Hey @rgmz, I have updated the PR and checked the issue you mentioned. The issue is no more reproducible with the changes.

What's changed:
Since, SaneHttpClient is not compatible with AWS go SDK. I used AWS BuildableClient to send the requests. Along with that Middleware is added to inject the TruffleHog + Suffix in User-Agent Header.

Input:

STORAGE_ACCESS_KEY_ID=
#STORAGE_ACCESS_KEY_SECRET=...
STORAGE_ACCESS_KEY_SECRET=...

Output - First attempt:

$ go run . filesystem ~/Desktop/Trufflehog/aws/canary/accesskey.txt 
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2025-02-20T20:02:39+05:00	info-0	trufflehog	running source	{"source_manager_worker_id": "8FFgK", "with_units": true}
✅ Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
...

Output - Second attempt:

$ go run . filesystem ~/Desktop/Trufflehog/aws/canary/accesskey.txt 
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2025-02-20T20:05:51+05:00	info-0	trufflehog	running source	{"source_manager_worker_id": "xZmZ7", "with_units": true}
✅ Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
...

Also, I modified the test as generating the hash was causing flaky output. Sometime, it was getting passed and sometime not.

$ go test -tags=detectors ./pkg/detectors/aws/access_keys/
ok  	github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aws/access_keys	(cached)