github aws/credentials-fetcher v.2.0.1
Release v.2.0.1
on GitHub

11 hours ago

Overview

  • Builds on the Go rewrite introduced in v2.0.0
  • Focus on packaging correctness, startup reliability, improved diagnostics, and critical bug fixes
  • Binary rename from credentials-fetcherd to credentials-fetcher documented
  • krb5.conf now bundled with the RPM — no manual Kerberos configuration needed
  • ECS agent startup ordering enforced via systemd drop-in
  • LDAP failures now auto-retry with debug output for easier troubleshooting
  • Credential renewal handles username changes in AWS Secrets Manager

What's Changed

Bug Fixes

  • Kerberos file cleanup now uses RemoveAll instead of Remove
    • fs.Remove() only deletes empty directories, causing silent cleanup failures
    • Now recursively deletes the service account directory and parent lease directory
  • Fixed krb5.conf install location
    • RPM spec was installing to an incorrect path; corrected to /usr/sbin/
  • Fixed stale opensource/ directory reference in RPM spec
    • Was causing build failures after the directory was removed
  • Credential renewal now resolves username from Secrets Manager
    • Previously matched tickets only by DomainlessUser stored at lease creation
    • If the username in the secret was later rotated, renewals would fail
    • Now falls back to fetching the current username from the CredentialArn secret

Features & Improvements

  • LDAP search verbose mode and automatic retry with debug output
    • ldapsearch now runs with -v (verbose) by default
    • On failure, automatically retries with -d 1 (debug level 1) for detailed protocol diagnostics
    • Added fallback for missing LDAP timeout configuration to prevent crashes
  • ECS agent startup dependency and ordering
    • Installs a systemd drop-in for ecs.service with Requires=credentials-fetcher.service
    • Waits for the credentials-fetcher Unix socket before ECS agent starts
    • Ships credentials-fetcher-startup-order.sh as an alternative for userdata-based setup
  • Bundled krb5.conf configuration file
    • Default krb5.conf included in RPM under configuration/conf/
    • Removes need for manual Kerberos configuration on the host

Packaging & Build

  • Bumped spec file version to 2.0.1
  • Removed opensource/ build directory and simplified Makefile

Dependency Updates

  • Bumped golang.org/x/net from 0.35.0 to 0.38.0
    • Addresses upstream security and bug fixes

Documentation

  • Updated README with binary name change (credentials-fetcherd → credentials-fetcher)
  • Updated sample credspec JSON to include HostAccountConfig for non-domain-joined mode
  • Updated userdata.md with startup-order script instructions
Check out latest releases or
releases around aws/credentials-fetcher v.2.0.1

Don't miss a new credentials-fetcher release

NewReleases is sending notifications on new releases.

Get notifications