boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

boundary cli is not using AWS_PROFILE

Open vanniszsu opened this issue 3 years ago • 1 comments

Describe the bug boundary cli is not using Env AWS_PROFILE

To Reproduce Steps to reproduce the behavior: boundary controller is using AWS KMS as its kms, boundary server can access the aws kms key fine on the client side, use boundary cli to do the Recovery KMS Workflow

recovery.hcl as below

kms "awskms" {
    purpose = "recovery"
    region = "cn-northwest-1"
    kms_key_id = "****(my kms key id)"
}

in my local machine which run boundary cli, has the ~/.aws/config set

[profile my_profile]
region = cn-northwest-1
source_profile = <my source profile>
role_arn = <my IAM role which has access to the KMS key>

run the command:

$ export AWS_PROFILE=my_profile
$ boundary users list -recovery-config recovery.hcl

Result in error as : Error creating API client: Error configuring kms: error setting configuration on the kms plugin: rpc error: code = Unknown desc = error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Expected behavior according to https://www.boundaryproject.io/docs/configuration/kms/awskms, boundary should support AWS_PROFILE to use aws profile configured in local.

Additional context boundary version 0.10.3

looks like it is not giving any option to the GenerateCredentialChain() https://github.com/hashicorp/go-kms-wrapping/blob/8942ada7037b3ff2c04d213dbf64c439e61d3a58/wrappers/awskms/awskms.go#L296 so the AWS_PROFILE is ignored, https://github.com/hashicorp/go-secure-stdlib/blob/f7bda984abfc12ada776e1495d8f4c94a9afc5fa/awsutil/generate_credentials.go#L188

vanniszsu avatar Sep 14 '22 07:09 vanniszsu

Hey @vanniszsu, thanks for reporting.

I've been trying to reproduce this on my end and I haven't been able to. From my testing, I've also noticed that the error message you posted seems to also show up when a profile is incorrectly set-up, not working correctly or not present.

Can you confirm that you can use the same profile to list kms using the AWS cli directly? aws kms list-keys --profile your_profile_here.

Additionally, what version of the AWS CLI are you using?

Thanks!

hugoghx avatar Oct 31 '22 12:10 hugoghx