github aws/credentials-fetcher v2.0.2
Release v2.0.2
on GitHub

6 hours ago

Overview

  • Focus on blue/green username rotation support, automatic orphaned ticket cleanup, and renewal reliability
  • Log file rotation prevents unbounded disk growth
  • Service now auto-enables on RPM install — survives reboots without manual intervention
  • Fargate renewal flow fixed for AddKerberosArnLease
  • AD account name validation aligned with Microsoft spec
  • Fedora packaging files added

What's Changed

Features & Improvements

  • Blue/green username rotation support for non-domain-joined mode
    • Parse oldUser:newUser colon-separated format in AddNonDomainJoinedKerberosLease
    • Resilient DN resolution across rotation events
  • Automatic orphaned ticket cleanup
    • Removes lease directories where all tickets expired more than 7 days past renew_until
    • Runs hourly via background goroutine
  • Log file rotation at 10MB
    • Checked at startup and every 5 minutes — no external dependencies
  • Service auto-enabled on RPM install
    • systemctl enable added to %post script — service survives reboots

Bug Fixes

  • Fixed AD account name validation: allow periods, block additional invalid chars per Microsoft spec
    • Period (.) was incorrectly in the blocklist — valid in sAMAccountName
    • Added missing invalid characters (", =, ,, (, ), {, }) per Microsoft documentation
  • Fixed UTF-8 BOM handling in credential spec parsing
    • Strip full BOM (EF BB BF) and lone 0xEF byte prefix from credspec files
    • Log first 32 bytes as hex on JSON parse failure for diagnostics
  • Fixed GMSA ticket expiry gap during renewal
    • After domainless user ticket recreation, retry loop now continues instead of returning early
    • Added post-renewal verification that ticket expiry was actually extended
  • Fixed renewal after blue-green rotation completes
    • Renew flow now matches tickets by active (new) username when old username isn't found
  • Fixed Secrets Manager fallback in ECS mode
    • Skip fallback when DomainlessUser is already populated — prevents AccessDeniedException on instance role
  • Fixed DomainlessUser for AddKerberosArnLease to enable renewals on Fargate
    • Set DomainlessUser to awsdomainlessusersecret: + secretsArn after ticket creation
    • Skip internal renewal for agent-managed tickets
  • Fixed rotation log firing on every renewal cycle
    • "Blue/green username rotation detected" now only logs when rotation is actually needed
  • Fixed original API errors being swallowed during cleanup
    • Use recursive deletion for lease directories

Packaging & Build

  • Bumped spec file version to 2.0.2
  • Added Fedora packaging files (spec + go-vendor-tools.toml)

Dependency Updates

  • Bumped google.golang.org/grpc and github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
  • Bumped github.com/aws/aws-sdk-go-v2/service/s3 from 1.53.0 to 1.97.3
Check out latest releases or
releases around aws/credentials-fetcher v2.0.2

Don't miss a new credentials-fetcher release

NewReleases is sending notifications on new releases.

Get notifications