up icon indicating copy to clipboard operation
up copied to clipboard

Published 20 hours ago verified publisher icon apex

AWS credentials using credential_process

Open maxbeatty opened this issue 4 years ago • 3 comments

Description

If ~/.aws/credentials uses credential_process, up will fail with a "Cannot find credentials" error.

Steps to Reproduce

up.json

{
  "profile": "developer"
}

~/.aws/credentials

[developer]
credential_process = /opt/bin/awscreds-custom --username helen

Try to deploy:

❯ up

     build: 5 files, 12 MB (545ms)


     Error: Cannot find credentials, visit https://apex.sh/docs/up/credentials/ for help.

Workaround

Setting the environment variable AWS_SDK_LOAD_CONFIG will instruct the underlying AWS SDK to use Shared Config Fields (thus executing the custom credential_process).

AWS_SDK_LOAD_CONFIG=1 up

I'm not sure there's much you could do in your AWS session implementation beyond force-enable Shared Config support. Opening this as mostly as a reference for anyone who comes across the error with this configuration.

maxbeatty avatar Jul 09 '20 02:07 maxbeatty

Hmm I wonder if the Go SDK from AWS even supports it, I've never seen that option but I'll try to take a look soon and see if they support it!

tj avatar Jul 11 '20 18:07 tj

Yep! It was adding 2018, if you can believe it, and I did check to make sure up was using a supported version (v1.19.1 for posterity).

https://github.com/aws/aws-sdk-go/commit/275272fc5c7fdea1719f5851925dc5d9df27f89d https://github.com/aws/aws-sdk-go/releases/tag/v1.16.0

maxbeatty avatar Jul 11 '20 18:07 maxbeatty

I haven't dug deep enough to create a PR for this, but it looks like a fairly minimal change to enable the shared config by default.

When you're building an AWS SDK session now, you use something like this:

s := session.New(aws.NewConfig().WithRegion(region))

But something like this (untested) snippet should load all of the shared config stuff automatically:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    Config: aws.Config{Region: aws.String(region)},
    SharedConfigState: session.SharedConfigEnable,
}))

The big behavioural change here is that using session.NewSessionWithOptions (with the session.Must wrapper) will panic earlier than using session.New for some configuration problems. It looks like you're specifically checking for some errors from AWS SDK, so those checks might need updating as well.

Just FYI, the documentation says session.New is deprecated and has been since 2016. Using the session.NewSession* functions is the preferred way to build sessions.

irgeek avatar Jun 10 '21 02:06 irgeek