pplu
Cannot use PAWS SSM w/ federated login
I'm trying to read a parameter from SSM using the following code. I'm using federated login, so I don't have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in %ENV, only AWS_DEFAULT_PROFILE.
#!/usr/bin/env perl
use Paws;
use Data::Dumper;
my $obj = Paws->service('SSM', region => 'us-east-1');
my $res = $obj->GetParameters(Name => '/my/test/parameter');
print Dumper $res;
But when I do that, I get:
Can't find any credentials. I tried with Paws::Credential::Environment,Paws::Credential::File,Paws::Credential::ECSContainerProfile,Paws::Credential::InstanceProfile at /home/kit/.perlbrew/libs/perl-5.30.0@lambda-cycles/lib/perl5/Paws/Credential/ProviderChain.pm line 32.
However, the AWS CLI (aws ssm get-parameters --names "/my/test/parameter") works just fine.
Hmmm... strange, since Paws::Credentials::File should be honoring the ENV var. https://github.com/pplu/aws-sdk-perl/blob/master/lib/Paws/Credential/File.pm
Can you try the following script? Does that behave correctly? It may help you isolate the problem.
use Paws::Credential::File;
my $f = Paws::Credential::File->new;
print $f->access_key;
Hope it helps.
Tried the script; it returned nothing.
On Thu, Sep 12, 2019 at 7:37 AM Jose Luis Martinez [email protected] wrote:
Hmmm... strange, since Paws::Credentials::File should be honoring the ENV var. https://github.com/pplu/aws-sdk-perl/blob/master/lib/Paws/Credential/File.pm https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_pplu_aws-2Dsdk-2Dperl_blob_master_lib_Paws_Credential_File.pm&d=DwMCaQ&c=jGUuvAdBXp_VqQ6t0yah2g&r=TTXL98RIPQNjLdDSgeT8-yL45AVQu-9EyYWqGxjCNjqPZing27cmWboo1qWURfVf&m=riZ02SAAhmCrEuKa66SBmjs2GNCFd7NuX9KXOh78dNw&s=o_od3OBxeWC7jEOqvM6KUZ4vYs5N3dfepuOdb0YWchg&e=
Can you try the following script? Does that behave correctly? It may help you isolate the problem.
use Paws::Credential::File;
my $f = Paws::Credential::File->new;
print $f->access_key;
Hope it helps.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_pplu_aws-2Dsdk-2Dperl_issues_344-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOAKPU4KY4CUVKFUE2TPETQJIZ2DA5CNFSM4IV2FETKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6RXCCY-23issuecomment-2D530805003&d=DwMCaQ&c=jGUuvAdBXp_VqQ6t0yah2g&r=TTXL98RIPQNjLdDSgeT8-yL45AVQu-9EyYWqGxjCNjqPZing27cmWboo1qWURfVf&m=riZ02SAAhmCrEuKa66SBmjs2GNCFd7NuX9KXOh78dNw&s=OO6tjJdsk5LupBIFp0QjT5-ghHe1E5Fwa1MzyeI-YjA&e=, or mute the thread https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOAKPQK6XGRV4ZJIULPQD3QJIZ2DANCNFSM4IV2FETA&d=DwMCaQ&c=jGUuvAdBXp_VqQ6t0yah2g&r=TTXL98RIPQNjLdDSgeT8-yL45AVQu-9EyYWqGxjCNjqPZing27cmWboo1qWURfVf&m=riZ02SAAhmCrEuKa66SBmjs2GNCFd7NuX9KXOh78dNw&s=ooRphHSvkCvfMxzaRbfd7vVyMGxisNvm80ClIf_tOds&e= .
I see the problem. Here is my (redacted) environment:
AWS_DEFAULT_PROFILE=123456789012/role-name/username
And here are the contents of my (redacted) $HOME/.aws/credentials:
[123456789012/role-name/username_source]
aws_access_key_id = ASIAXPNJWRK4MDXIW7Z3
aws_secret_access_key = <REDACTED>
aws_session_token = <REDACTED>
Note how it's username_source in $HOME/.aws/credentials, but username in $ENV{AWS_DEFAULT_PROFILE}.
I don't know why _source is appended in $HOME/.aws/credentials, but I suspect it may be related to federated login via Okta.
This works:
#!/usr/bin/env perl
use Paws;
use Paws::Credential::File;
use Data::Dumper;
my $region = $ENV{AWS_REGION} || 'us-east-1';
my $paws = Paws->new(
config => {
credentials => Paws::Credential::File->new(profile => qq{$ENV{AWS_DEFAULT_PROFILE}_source}),
}
);
my $obj = $paws->service('SSM', region => $region);
my $res = $obj->GetParameter(Name => '/my/encrypted/parameter', WithDecryption => 1);
print Dumper $res;
Thanks for your feedback! What got you to putting '_source' in the profile name? Is there a tool that does this?
I'm trying to find out if we should support always looking for a section called "$ENV{AWS_DEFAULT_PROFILE}" or "$ENV{AWS_DEFAULT_PROFILE}_source", or we should look for both...
I don't know why "_source" is in the profile name - that's just how the tool that my company uses to log into AWS does it. If it helps, we're using Okta for federated login.
KP
On Wed, Sep 18, 2019 at 5:28 AM Jose Luis Martinez [email protected] wrote:
Thanks for your feedback! What got you to putting '_source' in the profile name? Is there a tool that does this?
I'm trying to find out if we should support always looking for a section called "$ENV{AWS_DEFAULT_PROFILE}" or "$ENV{AWS_DEFAULT_PROFILE}_source", or we should look for both...
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_pplu_aws-2Dsdk-2Dperl_issues_344-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOAKPVODST75BASBYBILVLQKH7C7A5CNFSM4IV2FETKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD67TFTY-23issuecomment-2D532624079&d=DwMCaQ&c=jGUuvAdBXp_VqQ6t0yah2g&r=TTXL98RIPQNjLdDSgeT8-yL45AVQu-9EyYWqGxjCNjqPZing27cmWboo1qWURfVf&m=G7OTlRnkZbPxKkBYLzluqfUInA7bdFy61ut98CmUkcE&s=sgiYboi9AY4MznXNlwFFyp9iLxitqWhI7fOJAK01sKg&e=, or mute the thread https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOAKPS77WOKVA3DDOZQETTQKH7C7ANCNFSM4IV2FETA&d=DwMCaQ&c=jGUuvAdBXp_VqQ6t0yah2g&r=TTXL98RIPQNjLdDSgeT8-yL45AVQu-9EyYWqGxjCNjqPZing27cmWboo1qWURfVf&m=G7OTlRnkZbPxKkBYLzluqfUInA7bdFy61ut98CmUkcE&s=adkI3JLtzOw2Ck-DlA9IgF6yKNFkdRKLNh2-3CYpEGU&e= .