amazon-qldb-shell
amazon-qldb-shell copied to clipboard
awslabs
Unable to connect to ledger error
Describe the bug
I'm just trying to start the qldb shell with an existing ledger that I can see from the aws console does exist on my account.
I receive the following error messages when running $ qldb.
...
usage error: Unable to connect to ledger `my-example-ledger`.
...
The following error may have more information: failed to construct request: No credentials in the property bag
To Reproduce Steps to reproduce the behavior:
- Login to my aws cli using
aws sso login - run
qldbto start the qldb shell - See error
Expected behavior I expect the qldb shell to start
Screenshots N/A
Desktop (please complete the following information):
- OS: MacOS
Additional context
I'm able to view the ledge when running aws qldb list-ledgers
I was able to resolve my issue, but it looks like there could be a bug with parsing credentials from the default location on MacOS.
I tried directly linking to my credentials file by running qldb --config ~/.aws/credentials
But I received this error:
usage error: unable to load config at /Users/davidnorman/.aws/credentials: IonCError { code: 23, message: "IERR_INVALID_TOKEN_CHAR", additional: "iERR Result", position: OffsetLineColumn(15, LineColumn(1, 14)) }
This was using a credentials file that I directly copied from the SSO Account Selection page from the "Command line or programmatic access" modal pop up that list temporary credentials in a few formats.
Next I tried one of the other options on the modal to export my credentials as Environment variables: "Option 1: Set AWS environment variables". Using this option I am able to get qldb shell access successfully, but should I be able to use my credentials file as well?
Thanks for raising this issue. The general format of config under the ~/.aws/credentials file is as follows:
[default]
aws_access_key_id=<YOUR_AWS_ACCESS_KEY>
aws_secret_access_key=<YOUR_AWS_SECRET_ACCESS_KEY>
aws_session_token=<YOUR_AWS_SESSION_TOKEN>
A closed issue for the AWS CLI has some discussion regarding the SSO login not conforming to the standard: https://github.com/aws/aws-cli/issues/4982.
The QLDB CLI's --config parameter is for some QLDB-specific Ion config and not the credentials. The issue linked above describes some workarounds. One option includes the use of the credential_process property in the ~/.aws/config file. In this case, you can use the qldb --profile <PROFILE_NAME> approach or set it as the default to avoid the --profile parameter. However, the latest QLDB shell build in Homebrew does not ship with support for the credential_process property (Comes with aws-config v0.43.0). You can temporarily track against the main branch if you opt for that route.
I'll leave this issue open to track a patch version release with updated dependencies from our side.
Ah, I see that makes a lot of sense. Thank you for the detailed response. That will work for my purposes for now. Thanks!
Considering the mentioned issue on aws-cli is closed and on that thread they clearly doesn't acknowledge they have a problem. Is this going to be fixed on qldb-shell?
Hi @rbcaixeta
We have just released v2.0.2 of the shell which adds support for the credential_process property. There is a newer open issue on the AWS CLI repository which is seeing some recent activity for customizing how credentials are exported: https://github.com/aws/aws-cli/issues/5261.
You should alternatively be able to setup an SSO profile following the example in these docs:
[profile sso-login]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly
and then run the shell with:
qldb --profile sso-login