botocore icon indicating copy to clipboard operation
botocore copied to clipboard
verified publisher icon boto

credential_process not able to open browser due to "polluted" environment variables

Open alfonso-presa opened this issue 5 years ago • 5 comments

Describe the bug When using aws-cli, credential_process started are not able to open browser (the process crashes silently). This is also reported at aws-cli in: https://github.com/aws/aws-cli/issues/5506

I'm reporting it here as it doesn't seem (AFAIK) that aws-cli can do anything on it's own to solve the issue with the APIs provided by botocore.

Steps to reproduce Add this content to the aws config:

[profile fake]
credential_process=google-chrome www.google.es

Then run AWS_PROFILE=fake aws s3 ls and see how the browser doesn't open. If you change the profile to:

[profile fake]
credential_process=bash -c "unset LD_LIBRARY_PATH; google-chrome www.google.es"

Expected behavior Processes opened through credential_process mechanism should not use a polluted environment but the same environment that the aws cli (or the process using botocore) was created.

alfonso-presa avatar Oct 23 '20 18:10 alfonso-presa

This issue also affects other graphical processes/libs such as zenity as used by aws-vault:

Also can be worked around by:

[profile fake]
credential_process=/bin/sh -c "unset LD_LIBRARY_PATH; aws-vault exec my-other-profile --json --prompt=zenity"

jtsoi avatar Dec 03 '20 20:12 jtsoi

Does anyone know where/how LD_LIBRARY_PATH is being set by botocore? There is no obvious pollution of environment variables in the code running the subprocess, so I suppose somewhere else the environment is being manipulated:

https://github.com/boto/botocore/blob/2dd1931309750124cf33b2599559229ced24b999/botocore/credentials.py#L977-L983

rclark avatar May 19 '21 15:05 rclark

@rclark It does not come from boto itself, but from the AWS CLI V2 packaging code, namely PyInstaller, see: https://pyinstaller.readthedocs.io/en/stable/runtime-information.html#ld-library-path-libpath-considerations

They also have a 'fix example' on how to handle it.

I am of two minds about this. The only place where it can be fixed is in this code, just before the Popen call. But should boto be fixing PyInstaller env fiddling?

jtsoi avatar May 26 '21 20:05 jtsoi

The only place where it can be fixed is in this code, just before the Popen call. But should boto be fixing PyInstaller env fiddling?

Sheesh it does seem like almost certainly not.

There are all kinds of places you can solve this issue, e.g. in the config file as shown above, or in the executable like aws-vault. If AWS intention with credential_process is to facilitate user-built credential management solutions, the developers of those solutions need to be made aware of this caveat.

Or perhaps the right place to address it is in https://github.com/aws/aws-cli/issues/5506

rclark avatar May 26 '21 20:05 rclark

Sourcing credentials via external process of the given browser not opening up given to it.there are all kinds of places you can solve this issue, in the config file as shown above or in the executable like asw vault if aws intention with credential_process is to facilitate user built credentials management solutions the developer of those solutions need to be made aware of this caveat.or perhaps the right place tpomaddress it is in.

amberkushwaha avatar Jun 19 '23 14:06 amberkushwaha