Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS_DEFAULT_PROFILE, AWS_CONFIG_FILE, credential_process ignored #10248

Closed
4 tasks done
OJFord opened this issue Nov 16, 2021 · 2 comments
Closed
4 tasks done

AWS_DEFAULT_PROFILE, AWS_CONFIG_FILE, credential_process ignored #10248

OJFord opened this issue Nov 16, 2021 · 2 comments
Assignees
@OJFord
Labels
needs feedback

Comments

@OJFord
Copy link

OJFord commented Nov 16, 2021
edited

Are you certain it's a bug?

  • Yes, it looks like a bug

Is the issue caused by a plugin?

  • It is not a plugin issue

Are you using the latest version?

  • Yes, I'm using the latest version

Is there an existing issue for this?

  • I have searched existing issues, it hasn't been reported yet

Issue description

The support for AWS_DEFAULT_PROFILE added in #8354 fixing #7676 seems to have been removed, and indeed is not claimed to work at: https://www.serverless.com/framework/docs/providers/aws/guide/credentials/

I can pass the resultant 'AWS provider credentials not found' error by setting AWS_PROFILE="$AWS_DEFAULT_PROFILE".

The problem then is that a file ~/.aws/credentials is assumed to exist:

serverless/lib/plugins/aws/utils/credentials.js

Line 11 in eca599d

const credentialsFilePath = homedir ? join(awsConfigDirPath, 'credentials') : null;

Ignoring both AWS_CONFIG_FILE and (it seems, but I can't get that far) the use of credential_process within it.

Workaround:

unset AWS_PROFILE # from setting it above, because serverless (unlike awscli & tools that use the SDK) gives it priority over explicit access keys

tempcred="$(aws sts get-session-token)"
export AWS_ACCESS_KEY_ID="$(echo "$tempcred" | jq -r '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "$tempcred" | jq -r '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo "$tempcred" | jq -r '.Credentials.SessionToken')"

(for the core anyway, to create most resources, until it seems the warmup plugin doesn't even support AWS_SESSION_TOKEN so have to give up and use the underlying access key directly, bypassing the credential_process entirely and non-ephemerally.)

Is there a reason Serverless needs to re-implement this auth handling, rather than let the SDK do it (and so be consistent with other tools that use it)?

NB I couldn't submit without ticking 'not a plugin issue' - it's the AWS plugin of course, but that's in this repo.

Service configuration (serverless.yml) content

N/A

Command name and used flags

N/A

Command output

AWS profile "blah" doesn't seem to be configured

Environment information

Framework Core: 2.66.1
Plugin: 5.5.1
SDK: 4.3.0
Components: 3.18.0
@medikoo
Copy link
Contributor

medikoo commented Nov 16, 2021

@OJFord AWS_DEFAULT_PROFILE definitely works (just tested it) If you feel otherwise, please fill the issue template completely providing all necessary reproduction details (service configuration with no plugins involved, used command name, and full output of command you receive)

Concerning other issues, please see: #9290

@OJFord
Copy link
Author

OJFord commented Nov 16, 2021

@medikoo Ok. As I say, I get past that error if I set AWS_PROFILE (previously unset) to the value of AWS_DEFAULT_PROFILE.

Concerning other issues, please see: #9290

FWIW doesn't seem to mention AWS_CONFIG_FILE.

@OJFord OJFord closed this as completed Nov 16, 2021
@mentos1386 mentos1386 mentioned this issue Oct 14, 2022
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@OJFord OJFord

Labels
needs feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@medikoo @OJFord