Credential Provider Chain Not Working

[roygeorgeP]

Describe the bug

I am trying to exercise the credential provider chain mechanism as documented here https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html

The code snippet is
SecretsManagerClient client = SecretsManagerClient.builder() .region(Region.US_EAST_1) .build();
or
S3Client s3client = S3Client.builder() .region(Region.US_EAST_1) .build();

I would expect it to pull from the credential chain as mentioned in the documentation.

So, when I run my mvn command
mvn package -DAWS_ACCESS_KEY_ID="XXX" -DAWS_SECRET_ACCESS_KEY="YYY" -DAWS_SESSION_TOKEN="ZZZ"
pom.zip

an error is thrown...

But when I explicitly provide the tokens in the code the test works.
AwsBasicCredentials credentials = AwsBasicCredentials.create(awsAccessKey, awSecret); StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(credentials); SecretsManagerClient client = SecretsManagerClient.builder() .credentialsProvider(credentialsProvider) .region(Region.US_EAST_1) .build();

Expected Behavior

I would expect it to pull from the credential chain as mentioned in the documentation.

Current Behavior

Exception thrown
Time elapsed: 0.112 s <<< ERROR!
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=RSD-DM-API-Consumer, profileFile=ProfileFile(profilesAndSectionsMap=[{tfppqa=Profile(name=tfppqa, properties=[output, region, aws_access_key_id, aws_secret_access_key]), etoeksnonprod=Profile(name=etoeksnonprod, properties=[output, region, aws_access_key_id, aws_secret_access_key]), RSD-DM-API-Consumer=Profile(name=RSD-DM-API-Consumer, properties=[output, region, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY]), tfsdsprod=Profile(name=tfsdsprod, properties=[aws_access_key_id, aws_secret_access_key])}, {}])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=RSD-DM-API-Consumer, profileFile=ProfileFile(profilesAndSectionsMap=[{tfppqa=Profile(name=tfppqa, properties=[output, region, aws_access_key_id, aws_secret_access_key]), etoeksnonprod=Profile(name=etoeksnonprod, properties=[output, region, aws_access_key_id, aws_secret_access_key]), RSD-DM-API-Consumer=Profile(name=RSD-DM-API-Consumer, properties=[output, region, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY]), tfsdsprod=Profile(name=tfsdsprod, properties=[aws_access_key_id, aws_secret_access_key])}, {}])): Profile file contained no credentials for profile 'RSD-DM-API-Consumer': ProfileFile(profilesAndSectionsMap=[{tfppqa=Profile(name=tfppqa, properties=[output, region, aws_access_key_id, aws_secret_access_key]), etoeksnonprod=Profile(name=etoeksnonprod, properties=[output, region, aws_access_key_id, aws_secret_access_key]), RSD-DM-API-Consumer=Profile(name=RSD-DM-API-Consumer, properties=[output, region, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY]), tfsdsprod=Profile(name=tfsdsprod, properties=[aws_access_key_id, aws_secret_access_key])}, {}]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]

Reproduction Steps

pom xml has been attached to show the sdk version I am using.

The code snippet is
SecretsManagerClient client = SecretsManagerClient.builder() .region(Region.US_EAST_1) .build();
or
S3Client s3client = S3Client.builder() .region(Region.US_EAST_1) .build();

Run mvn command
mvn package -DAWS_ACCESS_KEY_ID="XXX" -DAWS_SECRET_ACCESS_KEY="YYY" -DAWS_SESSION_TOKEN="ZZZ"

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.20.43

JDK version used

11

Operating System and version

Windows 10

[psnilesh]

This issue belongs to https://github.com/aws/aws-sdk-java-v2

-D defines a system property. It looks to me like the credential resolution failure was because the properties you defined are not the same properties read by SystemPropertyCredentialsProvider.

Give this a try.

mvn package --Daws_access_key_id="XXX" -Daws_secret_access_key="YYY" -Daws_session_token="ZZZ"

[roygeorgeP]

I did an aws sts get-session-token --duration-seconds 129600
And I got a json

{
"Credentials": {
"AccessKeyId": "blah",
"SecretAccessKey": "blah",
"SessionToken": "blah",
"Expiration": "2024-01-10T08:33:42+00:00"
}
}

Then I tried using values from that in the mvn command below

mvn package -Daws_access_key_id=blah -Daws_secret_access_key=blah -Daws_session_token="blah"

And that does not work either.

[roygeorgeP]

Looking through the code it should have been
-Daws.accessKeyId=xxx-Daws.secretAccessKey="yyy"......

Thanks for pointing to the code itself.

[github-actions]

COMMENT VISIBILITY WARNING

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.