RubyGems - grpc - Versions diffs - 1.34.0 → 1.35.0.pre1 - Mend

grpc 1.34.0 → 1.35.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (458) hide show

data/src/core/lib/iomgr/udp_server.cc CHANGED

@@ -570,8 +570,7 @@ static int add_socket_to_server(grpc_udp_server* s, int fd,
   return port;
 }
-int grpc_udp_server_add_port(grpc_udp_server* s,
-                             const grpc_resolved_address* addr,
+int grpc_udp_server_add_port(grpc_udp_server* s, grpc_resolved_address* addr,
                              int rcv_buf_size, int snd_buf_size,
                              GrpcUdpHandlerFactory* handler_factory,
                              size_t num_listeners) {

data/src/core/lib/iomgr/udp_server.h CHANGED

@@ -93,8 +93,7 @@ int grpc_udp_server_get_fd(grpc_udp_server* s, unsigned port_index);
 /* TODO(ctiller): deprecate this, and make grpc_udp_server_add_ports to handle
                   all of the multiple socket port matching logic in one place */
-int grpc_udp_server_add_port(grpc_udp_server* s,
-                             const grpc_resolved_address* addr,
+int grpc_udp_server_add_port(grpc_udp_server* s, grpc_resolved_address* addr,
                              int rcv_buf_size, int snd_buf_size,
                              GrpcUdpHandlerFactory* handler_factory,
                              size_t num_listeners);

data/src/core/lib/iomgr/unix_sockets_posix.cc CHANGED

@@ -42,24 +42,24 @@ void grpc_create_socketpair_if_unix(int sv[2]) {
   GPR_ASSERT(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
 }
-grpc_error* grpc_resolve_unix_domain_address(const char* name,
-                                             grpc_resolved_addresses** addrs) {
-  *addrs = static_cast<grpc_resolved_addresses*>(
+grpc_error* grpc_resolve_unix_domain_address(
+    const char* name, grpc_resolved_addresses** addresses) {
+  *addresses = static_cast<grpc_resolved_addresses*>(
       gpr_malloc(sizeof(grpc_resolved_addresses)));
-  (*addrs)->naddrs = 1;
-  (*addrs)->addrs = static_cast<grpc_resolved_address*>(
+  (*addresses)->naddrs = 1;
+  (*addresses)->addrs = static_cast<grpc_resolved_address*>(
       gpr_malloc(sizeof(grpc_resolved_address)));
-  return grpc_core::UnixSockaddrPopulate(name, (*addrs)->addrs);
+  return grpc_core::UnixSockaddrPopulate(name, (*addresses)->addrs);
 }
 grpc_error* grpc_resolve_unix_abstract_domain_address(
-    const absl::string_view name, grpc_resolved_addresses** addrs) {
-  *addrs = static_cast<grpc_resolved_addresses*>(
+    const absl::string_view name, grpc_resolved_addresses** addresses) {
+  *addresses = static_cast<grpc_resolved_addresses*>(
       gpr_malloc(sizeof(grpc_resolved_addresses)));
-  (*addrs)->naddrs = 1;
-  (*addrs)->addrs = static_cast<grpc_resolved_address*>(
+  (*addresses)->naddrs = 1;
+  (*addresses)->addrs = static_cast<grpc_resolved_address*>(
       gpr_malloc(sizeof(grpc_resolved_address)));
-  return grpc_core::UnixAbstractSockaddrPopulate(name, (*addrs)->addrs);
+  return grpc_core::UnixAbstractSockaddrPopulate(name, (*addresses)->addrs);
 }
 int grpc_is_unix_socket(const grpc_resolved_address* resolved_addr) {
@@ -96,16 +96,15 @@ std::string grpc_sockaddr_to_uri_unix_if_possible(
   if (addr->sa_family != AF_UNIX) {
     return "";
   }
-  if (((struct sockaddr_un*)addr)->sun_path[0] == '\0' &&
-      ((struct sockaddr_un*)addr)->sun_path[1] != '\0') {
-    const struct sockaddr_un* un =
-        reinterpret_cast<const struct sockaddr_un*>(resolved_addr->addr);
+  const auto* unix_addr = reinterpret_cast<const struct sockaddr_un*>(addr);
+  if (unix_addr->sun_path[0] == '\0' && unix_addr->sun_path[1] != '\0') {
     return absl::StrCat(
         "unix-abstract:",
-        absl::string_view(un->sun_path + 1,
-                          resolved_addr->len - sizeof(un->sun_family) - 1));
+        absl::string_view(
+            unix_addr->sun_path + 1,
+            resolved_addr->len - sizeof(unix_addr->sun_family) - 1));
   }
-  return absl::StrCat("unix:", ((struct sockaddr_un*)addr)->sun_path);
+  return absl::StrCat("unix:", unix_addr->sun_path);
 }
 #endif

data/src/core/lib/json/json.h CHANGED

@@ -76,6 +76,7 @@ class Json {
   // Construct from copying a string.
   // If is_number is true, the type will be NUMBER instead of STRING.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(const std::string& string, bool is_number = false)
       : type_(is_number ? Type::NUMBER : Type::STRING), string_value_(string) {}
   Json& operator=(const std::string& string) {
@@ -85,12 +86,14 @@ class Json {
   }
   // Same thing for C-style strings, both const and mutable.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(const char* string, bool is_number = false)
       : Json(std::string(string), is_number) {}
   Json& operator=(const char* string) {
     *this = std::string(string);
     return *this;
   }
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(char* string, bool is_number = false)
       : Json(std::string(string), is_number) {}
   Json& operator=(char* string) {
@@ -99,6 +102,7 @@ class Json {
   }
   // Construct by moving a string.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(std::string&& string)
       : type_(Type::STRING), string_value_(std::move(string)) {}
   Json& operator=(std::string&& string) {
@@ -108,6 +112,7 @@ class Json {
   }
   // Construct from bool.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(bool b) : type_(b ? Type::JSON_TRUE : Type::JSON_FALSE) {}
   Json& operator=(bool b) {
     type_ = b ? Type::JSON_TRUE : Type::JSON_FALSE;
@@ -116,6 +121,7 @@ class Json {
   // Construct from any numeric type.
   template <typename NumericType>
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(NumericType number)
       : type_(Type::NUMBER), string_value_(std::to_string(number)) {}
   template <typename NumericType>
@@ -126,6 +132,7 @@ class Json {
   }
   // Construct by copying object.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(const Object& object) : type_(Type::OBJECT), object_value_(object) {}
   Json& operator=(const Object& object) {
     type_ = Type::OBJECT;
@@ -134,6 +141,7 @@ class Json {
   }
   // Construct by moving object.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(Object&& object)
       : type_(Type::OBJECT), object_value_(std::move(object)) {}
   Json& operator=(Object&& object) {
@@ -143,6 +151,7 @@ class Json {
   }
   // Construct by copying array.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(const Array& array) : type_(Type::ARRAY), array_value_(array) {}
   Json& operator=(const Array& array) {
     type_ = Type::ARRAY;
@@ -151,6 +160,7 @@ class Json {
   }
   // Construct by moving array.
+  // NOLINTNEXTLINE(google-explicit-constructor)
   Json(Array&& array) : type_(Type::ARRAY), array_value_(std::move(array)) {}
   Json& operator=(Array&& array) {
     type_ = Type::ARRAY;

data/src/core/lib/security/authorization/evaluate_args.cc CHANGED

@@ -87,14 +87,12 @@ int EvaluateArgs::GetLocalPort() const {
   if (endpoint_ == nullptr) {
     return 0;
   }
-  grpc_uri* uri = grpc_uri_parse(
-      std::string(grpc_endpoint_get_local_address(endpoint_)).c_str(), true);
+  absl::StatusOr<URI> uri =
+      URI::Parse(grpc_endpoint_get_local_address(endpoint_));
   grpc_resolved_address resolved_addr;
-  if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
-    grpc_uri_destroy(uri);
+  if (!uri.ok() || !grpc_parse_uri(*uri, &resolved_addr)) {
     return 0;
   }
-  grpc_uri_destroy(uri);
   return grpc_sockaddr_get_port(&resolved_addr);
 }
@@ -113,14 +111,11 @@ int EvaluateArgs::GetPeerPort() const {
   if (endpoint_ == nullptr) {
     return 0;
   }
-  grpc_uri* uri = grpc_uri_parse(
-      std::string(grpc_endpoint_get_peer(endpoint_)).c_str(), true);
+  absl::StatusOr<URI> uri = URI::Parse(grpc_endpoint_get_peer(endpoint_));
   grpc_resolved_address resolved_addr;
-  if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
-    grpc_uri_destroy(uri);
+  if (!uri.ok() || !grpc_parse_uri(*uri, &resolved_addr)) {
     return 0;
   }
-  grpc_uri_destroy(uri);
   return grpc_sockaddr_get_port(&resolved_addr);
 }

data/src/core/lib/security/authorization/evaluate_args.h CHANGED

@@ -46,7 +46,7 @@ class EvaluateArgs {
   absl::string_view GetSpiffeId() const;
   absl::string_view GetCertServerName() const;
-  // TODO: Add a getter function for source.principal
+  // TODO(unknown): Add a getter function for source.principal
  private:
   grpc_metadata_batch* metadata_;

data/src/core/lib/security/context/security_context.cc CHANGED

@@ -294,9 +294,10 @@ static const grpc_arg_pointer_vtable auth_context_pointer_vtable = {
     auth_context_pointer_arg_copy, auth_context_pointer_arg_destroy,
     auth_context_pointer_cmp};
-grpc_arg grpc_auth_context_to_arg(grpc_auth_context* p) {
-  return grpc_channel_arg_pointer_create((char*)GRPC_AUTH_CONTEXT_ARG, p,
-                                         &auth_context_pointer_vtable);
+grpc_arg grpc_auth_context_to_arg(grpc_auth_context* c) {
+  return grpc_channel_arg_pointer_create(
+      const_cast<char*>(GRPC_AUTH_CONTEXT_ARG), c,
+      &auth_context_pointer_vtable);
 }
 grpc_auth_context* grpc_auth_context_from_arg(const grpc_arg* arg) {

data/src/core/lib/security/credentials/alts/check_gcp_environment.cc CHANGED

@@ -57,7 +57,7 @@ namespace internal {
 char* read_bios_file(const char* bios_file) {
   FILE* fp = fopen(bios_file, "r");
   if (!fp) {
-    gpr_log(GPR_ERROR, "BIOS data file cannot be opened.");
+    gpr_log(GPR_INFO, "BIOS data file does not exist or cannot be opened.");
     return nullptr;
   }
   char buf[kBiosDataBufferSize + 1];

data/src/core/lib/security/credentials/credentials.cc CHANGED

@@ -67,9 +67,9 @@ static const grpc_arg_pointer_vtable credentials_pointer_vtable = {
 grpc_arg grpc_channel_credentials_to_arg(
     grpc_channel_credentials* credentials) {
-  return grpc_channel_arg_pointer_create((char*)GRPC_ARG_CHANNEL_CREDENTIALS,
-                                         credentials,
-                                         &credentials_pointer_vtable);
+  return grpc_channel_arg_pointer_create(
+      const_cast<char*>(GRPC_ARG_CHANNEL_CREDENTIALS), credentials,
+      &credentials_pointer_vtable);
 }
 grpc_channel_credentials* grpc_channel_credentials_from_arg(
@@ -134,9 +134,9 @@ static const grpc_arg_pointer_vtable cred_ptr_vtable = {
     server_credentials_pointer_arg_copy, server_credentials_pointer_arg_destroy,
     server_credentials_pointer_cmp};
-grpc_arg grpc_server_credentials_to_arg(grpc_server_credentials* p) {
-  return grpc_channel_arg_pointer_create((char*)GRPC_SERVER_CREDENTIALS_ARG, p,
-                                         &cred_ptr_vtable);
+grpc_arg grpc_server_credentials_to_arg(grpc_server_credentials* c) {
+  return grpc_channel_arg_pointer_create(
+      const_cast<char*>(GRPC_SERVER_CREDENTIALS_ARG), c, &cred_ptr_vtable);
 }
 grpc_server_credentials* grpc_server_credentials_from_arg(const grpc_arg* arg) {

data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc ADDED

@@ -0,0 +1,413 @@
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/security/credentials/external/aws_external_account_credentials.h"
+#include "absl/strings/str_format.h"
+#include "absl/strings/str_join.h"
+#include "absl/strings/str_replace.h"
+#include "src/core/lib/gpr/env.h"
+namespace grpc_core {
+namespace {
+const char* kExpectedEnvironmentId = "aws1";
+const char* kRegionEnvVar = "AWS_REGION";
+const char* kAccessKeyIdEnvVar = "AWS_ACCESS_KEY_ID";
+const char* kSecretAccessKeyEnvVar = "AWS_SECRET_ACCESS_KEY";
+const char* kSessionTokenEnvVar = "AWS_SESSION_TOKEN";
+std::string UrlEncode(const absl::string_view& s) {
+  const char* hex = "0123456789ABCDEF";
+  std::string result;
+  result.reserve(s.length());
+  for (auto c : s) {
+    if ((c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') ||
+        (c >= 'a' && c <= 'z') || c == '-' || c == '_' || c == '!' ||
+        c == '\'' || c == '(' || c == ')' || c == '*' || c == '~' || c == '.') {
+      result.push_back(c);
+    } else {
+      result.push_back('%');
+      result.push_back(hex[static_cast<unsigned char>(c) >> 4]);
+      result.push_back(hex[static_cast<unsigned char>(c) & 15]);
+    }
+  }
+  return result;
+}
+}  // namespace
+RefCountedPtr<AwsExternalAccountCredentials>
+AwsExternalAccountCredentials::Create(Options options,
+                                      std::vector<std::string> scopes,
+                                      grpc_error** error) {
+  auto creds = MakeRefCounted<AwsExternalAccountCredentials>(
+      std::move(options), std::move(scopes), error);
+  if (*error == GRPC_ERROR_NONE) {
+    return creds;
+  } else {
+    return nullptr;
+  }
+}
+AwsExternalAccountCredentials::AwsExternalAccountCredentials(
+    Options options, std::vector<std::string> scopes, grpc_error** error)
+    : ExternalAccountCredentials(options, std::move(scopes)) {
+  audience_ = options.audience;
+  auto it = options.credential_source.object_value().find("environment_id");
+  if (it == options.credential_source.object_value().end()) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "environment_id field not present.");
+    return;
+  }
+  if (it->second.type() != Json::Type::STRING) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "environment_id field must be a string.");
+    return;
+  }
+  if (it->second.string_value() != kExpectedEnvironmentId) {
+    *error =
+        GRPC_ERROR_CREATE_FROM_STATIC_STRING("environment_id does not match.");
+    return;
+  }
+  it = options.credential_source.object_value().find("region_url");
+  if (it == options.credential_source.object_value().end()) {
+    *error =
+        GRPC_ERROR_CREATE_FROM_STATIC_STRING("region_url field not present.");
+    return;
+  }
+  if (it->second.type() != Json::Type::STRING) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "region_url field must be a string.");
+    return;
+  }
+  region_url_ = it->second.string_value();
+  it = options.credential_source.object_value().find("url");
+  if (it != options.credential_source.object_value().end() &&
+      it->second.type() == Json::Type::STRING) {
+    url_ = it->second.string_value();
+  }
+  it = options.credential_source.object_value().find(
+      "regional_cred_verification_url");
+  if (it == options.credential_source.object_value().end()) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "regional_cred_verification_url field not present.");
+    return;
+  }
+  if (it->second.type() != Json::Type::STRING) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "regional_cred_verification_url field must be a string.");
+    return;
+  }
+  regional_cred_verification_url_ = it->second.string_value();
+}
+void AwsExternalAccountCredentials::RetrieveSubjectToken(
+    HTTPRequestContext* ctx, const Options& options,
+    std::function<void(std::string, grpc_error*)> cb) {
+  if (ctx == nullptr) {
+    FinishRetrieveSubjectToken(
+        "",
+        GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+            "Missing HTTPRequestContext to start subject token retrieval."));
+    return;
+  }
+  ctx_ = ctx;
+  cb_ = cb;
+  if (signer_ != nullptr) {
+    BuildSubjectToken();
+  } else {
+    RetrieveRegion();
+  }
+}
+void AwsExternalAccountCredentials::RetrieveRegion() {
+  UniquePtr<char> region_from_env(gpr_getenv(kRegionEnvVar));
+  if (region_from_env != nullptr) {
+    region_ = std::string(region_from_env.get());
+    if (url_.empty()) {
+      RetrieveSigningKeys();
+    } else {
+      RetrieveRoleName();
+    }
+    return;
+  }
+  absl::StatusOr<URI> uri = URI::Parse(region_url_);
+  if (!uri.ok()) {
+    FinishRetrieveSubjectToken("", GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                                       absl::StrFormat("Invalid region url. %s",
+                                                       uri.status().ToString())
+                                           .c_str()));
+    return;
+  }
+  grpc_httpcli_request request;
+  memset(&request, 0, sizeof(grpc_httpcli_request));
+  request.host = const_cast<char*>(uri->authority().c_str());
+  request.http.path = gpr_strdup(uri->path().c_str());
+  request.handshaker =
+      uri->scheme() == "https" ? &grpc_httpcli_ssl : &grpc_httpcli_plaintext;
+  grpc_resource_quota* resource_quota =
+      grpc_resource_quota_create("external_account_credentials");
+  grpc_http_response_destroy(&ctx_->response);
+  ctx_->response = {};
+  GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveRegion, this, nullptr);
+  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent, resource_quota,
+                   &request, ctx_->deadline, &ctx_->closure, &ctx_->response);
+  grpc_resource_quota_unref_internal(resource_quota);
+  grpc_http_request_destroy(&request.http);
+}
+void AwsExternalAccountCredentials::OnRetrieveRegion(void* arg,
+                                                     grpc_error* error) {
+  AwsExternalAccountCredentials* self =
+      static_cast<AwsExternalAccountCredentials*>(arg);
+  self->OnRetrieveRegionInternal(GRPC_ERROR_REF(error));
+}
+void AwsExternalAccountCredentials::OnRetrieveRegionInternal(
+    grpc_error* error) {
+  if (error != GRPC_ERROR_NONE) {
+    FinishRetrieveSubjectToken("", error);
+    return;
+  }
+  // Remove the last letter of availability zone to get pure region
+  absl::string_view response_body(ctx_->response.body,
+                                  ctx_->response.body_length);
+  region_ = std::string(response_body.substr(0, response_body.size() - 1));
+  if (url_.empty()) {
+    RetrieveSigningKeys();
+  } else {
+    RetrieveRoleName();
+  }
+}
+void AwsExternalAccountCredentials::RetrieveRoleName() {
+  absl::StatusOr<URI> uri = URI::Parse(url_);
+  if (!uri.ok()) {
+    FinishRetrieveSubjectToken(
+        "", GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                absl::StrFormat("Invalid url: %s.", uri.status().ToString())
+                    .c_str()));
+    return;
+  }
+  grpc_httpcli_request request;
+  memset(&request, 0, sizeof(grpc_httpcli_request));
+  request.host = const_cast<char*>(uri->authority().c_str());
+  request.http.path = gpr_strdup(uri->path().c_str());
+  request.handshaker =
+      uri->scheme() == "https" ? &grpc_httpcli_ssl : &grpc_httpcli_plaintext;
+  grpc_resource_quota* resource_quota =
+      grpc_resource_quota_create("external_account_credentials");
+  grpc_http_response_destroy(&ctx_->response);
+  ctx_->response = {};
+  GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveRoleName, this, nullptr);
+  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent, resource_quota,
+                   &request, ctx_->deadline, &ctx_->closure, &ctx_->response);
+  grpc_resource_quota_unref_internal(resource_quota);
+  grpc_http_request_destroy(&request.http);
+}
+void AwsExternalAccountCredentials::OnRetrieveRoleName(void* arg,
+                                                       grpc_error* error) {
+  AwsExternalAccountCredentials* self =
+      static_cast<AwsExternalAccountCredentials*>(arg);
+  self->OnRetrieveRoleNameInternal(GRPC_ERROR_REF(error));
+}
+void AwsExternalAccountCredentials::OnRetrieveRoleNameInternal(
+    grpc_error* error) {
+  if (error != GRPC_ERROR_NONE) {
+    FinishRetrieveSubjectToken("", error);
+    return;
+  }
+  role_name_ = std::string(ctx_->response.body, ctx_->response.body_length);
+  RetrieveSigningKeys();
+}
+void AwsExternalAccountCredentials::RetrieveSigningKeys() {
+  UniquePtr<char> access_key_id_from_env(gpr_getenv(kAccessKeyIdEnvVar));
+  UniquePtr<char> secret_access_key_from_env(
+      gpr_getenv(kSecretAccessKeyEnvVar));
+  UniquePtr<char> token_from_env(gpr_getenv(kSessionTokenEnvVar));
+  if (access_key_id_from_env != nullptr &&
+      secret_access_key_from_env != nullptr && token_from_env != nullptr) {
+    access_key_id_ = std::string(access_key_id_from_env.get());
+    secret_access_key_ = std::string(secret_access_key_from_env.get());
+    token_ = std::string(token_from_env.get());
+    BuildSubjectToken();
+    return;
+  }
+  if (role_name_.empty()) {
+    FinishRetrieveSubjectToken(
+        "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                "Missing role name when retrieving signing keys."));
+    return;
+  }
+  std::string url_with_role_name = absl::StrCat(url_, "/", role_name_);
+  absl::StatusOr<URI> uri = URI::Parse(url_with_role_name);
+  if (!uri.ok()) {
+    FinishRetrieveSubjectToken(
+        "", GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                absl::StrFormat("Invalid url with role name: %s.",
+                                uri.status().ToString())
+                    .c_str()));
+    return;
+  }
+  grpc_httpcli_request request;
+  memset(&request, 0, sizeof(grpc_httpcli_request));
+  request.host = const_cast<char*>(uri->authority().c_str());
+  request.http.path = gpr_strdup(uri->path().c_str());
+  request.handshaker =
+      uri->scheme() == "https" ? &grpc_httpcli_ssl : &grpc_httpcli_plaintext;
+  grpc_resource_quota* resource_quota =
+      grpc_resource_quota_create("external_account_credentials");
+  grpc_http_response_destroy(&ctx_->response);
+  ctx_->response = {};
+  GRPC_CLOSURE_INIT(&ctx_->closure, OnRetrieveSigningKeys, this, nullptr);
+  grpc_httpcli_get(ctx_->httpcli_context, ctx_->pollent, resource_quota,
+                   &request, ctx_->deadline, &ctx_->closure, &ctx_->response);
+  grpc_resource_quota_unref_internal(resource_quota);
+  grpc_http_request_destroy(&request.http);
+}
+void AwsExternalAccountCredentials::OnRetrieveSigningKeys(void* arg,
+                                                          grpc_error* error) {
+  AwsExternalAccountCredentials* self =
+      static_cast<AwsExternalAccountCredentials*>(arg);
+  self->OnRetrieveSigningKeysInternal(GRPC_ERROR_REF(error));
+}
+void AwsExternalAccountCredentials::OnRetrieveSigningKeysInternal(
+    grpc_error* error) {
+  if (error != GRPC_ERROR_NONE) {
+    FinishRetrieveSubjectToken("", error);
+    return;
+  }
+  absl::string_view response_body(ctx_->response.body,
+                                  ctx_->response.body_length);
+  Json json = Json::Parse(response_body, &error);
+  if (error != GRPC_ERROR_NONE || json.type() != Json::Type::OBJECT) {
+    FinishRetrieveSubjectToken(
+        "", GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
+                "Invalid retrieve signing keys response.", &error, 1));
+    GRPC_ERROR_UNREF(error);
+    return;
+  }
+  auto it = json.object_value().find("AccessKeyId");
+  if (it != json.object_value().end() &&
+      it->second.type() == Json::Type::STRING) {
+    access_key_id_ = it->second.string_value();
+  } else {
+    FinishRetrieveSubjectToken(
+        "", GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                absl::StrFormat("Missing or invalid AccessKeyId in %s.",
+                                response_body)
+                    .c_str()));
+    return;
+  }
+  it = json.object_value().find("SecretAccessKey");
+  if (it != json.object_value().end() &&
+      it->second.type() == Json::Type::STRING) {
+    secret_access_key_ = it->second.string_value();
+  } else {
+    FinishRetrieveSubjectToken(
+        "", GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                absl::StrFormat("Missing or invalid SecretAccessKey in %s.",
+                                response_body)
+                    .c_str()));
+    return;
+  }
+  it = json.object_value().find("Token");
+  if (it != json.object_value().end() &&
+      it->second.type() == Json::Type::STRING) {
+    token_ = it->second.string_value();
+  } else {
+    FinishRetrieveSubjectToken(
+        "",
+        GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+            absl::StrFormat("Missing or invalid Token in %s.", response_body)
+                .c_str()));
+    return;
+  }
+  BuildSubjectToken();
+}
+void AwsExternalAccountCredentials::BuildSubjectToken() {
+  grpc_error* error = GRPC_ERROR_NONE;
+  if (signer_ == nullptr) {
+    cred_verification_url_ = absl::StrReplaceAll(
+        regional_cred_verification_url_, {{"{region}", region_}});
+    signer_ = absl::make_unique<AwsRequestSigner>(
+        access_key_id_, secret_access_key_, token_, "POST",
+        cred_verification_url_, region_, "",
+        std::map<std::string, std::string>(), &error);
+    if (error != GRPC_ERROR_NONE) {
+      FinishRetrieveSubjectToken(
+          "", GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
+                  "Creating aws request signer failed.", &error, 1));
+      GRPC_ERROR_UNREF(error);
+      return;
+    }
+  }
+  auto signed_headers = signer_->GetSignedRequestHeaders();
+  if (error != GRPC_ERROR_NONE) {
+    FinishRetrieveSubjectToken("",
+                               GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
+                                   "Invalid getting signed request"
+                                   "headers.",
+                                   &error, 1));
+    GRPC_ERROR_UNREF(error);
+    return;
+  }
+  // Construct subject token
+  Json::Array headers;
+  headers.push_back(Json(
+      {{"key", "Authorization"}, {"value", signed_headers["Authorization"]}}));
+  headers.push_back(Json({{"key", "host"}, {"value", signed_headers["host"]}}));
+  headers.push_back(
+      Json({{"key", "x-amz-date"}, {"value", signed_headers["x-amz-date"]}}));
+  headers.push_back(Json({{"key", "x-amz-security-token"},
+                          {"value", signed_headers["x-amz-security-token"]}}));
+  headers.push_back(
+      Json({{"key", "x-goog-cloud-target-resource"}, {"value", audience_}}));
+  Json::Object object{{"url", Json(cred_verification_url_)},
+                      {"method", Json("POST")},
+                      {"headers", Json(headers)}};
+  Json subject_token_json(object);
+  std::string subject_token = UrlEncode(subject_token_json.Dump());
+  FinishRetrieveSubjectToken(subject_token, GRPC_ERROR_NONE);
+}
+void AwsExternalAccountCredentials::FinishRetrieveSubjectToken(
+    std::string subject_token, grpc_error* error) {
+  // Reset context
+  ctx_ = nullptr;
+  // Move object state into local variables.
+  auto cb = cb_;
+  cb_ = nullptr;
+  // Invoke the callback.
+  if (error != GRPC_ERROR_NONE) {
+    cb("", error);
+  } else {
+    cb(subject_token, GRPC_ERROR_NONE);
+  }
+}
+}  // namespace grpc_core