aws.signature icon indicating copy to clipboard operation
aws.signature copied to clipboard

Credentials not correctly assuming defaults in aws lambda context

Open bneigher opened this issue 5 years ago • 1 comments

  • [x] a possible bug
  • [ ] a question about package functionality
  • [ ] a suggested code or documentation change, improvement to the code, or feature request

I'm using the aws.lambda package INSIDE an aws lambda (custom R runtime) and I'm seeming to have difficulties invoking a lambda getting: UnrecognizedClientException The security token included in the request is invalid

I believe it has something to do with aws.signature rather than aws.lambda since locate_credentials is happening here.

I can manually provide:

  • Sys.setenv("AWS_ACCESS_KEY_ID", "")
  • Sys.setenv("AWS_SECRET_ACCESS_KEY", "")
  • Sys.setenv("AWS_DEFAULT_REGION", "")

But I am getting the UnrecognizedClientException even though my role is allowed to Invoke my target lambda.

## load package

Sys.setenv("AWS_DEFAULT_REGION" = "us-west-2") # Needed for me to do manually for some reason (default is us-east-1 otherwise)
Sys.setenv(TZ = "GMT")

handler <- function(...) {
  payload = list(user_id = "1", event = "")
  result <- invoke_function(
    name = "MyLambdaName",
    payload = toJSON(payload, auto_unbox = TRUE),
    type = "RequestResponse",
    log = "None"
  return(fromJSON(toJSON(list(code = 0))))

Session Info:

R version 3.6.1 (2019-07-05)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Amazon Linux AMI 2018.03

Matrix products: default
BLAS:   /opt/R/lib/
LAPACK: /opt/R/lib/

 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] lubridate_1.7.4   feather_0.3.5     aws.lambda_0.1.6  aws.s3_0.3.12    
[5] data.table_1.12.2 jsonlite_1.6      httr_1.4.1        logging_0.10-108 

loaded via a namespace (and not attached):
 [1] Rcpp_1.0.2          magrittr_1.5        xml2_1.2.2         
 [4] hms_0.5.1           aws.signature_0.5.2 R6_2.4.0           
 [7] rlang_0.4.0         stringr_1.4.0       tools_3.6.1        
[10] digest_0.6.20       tibble_2.1.3        crayon_1.3.4       
[13] base64enc_0.1-3     vctrs_0.2.0         curl_4.1           
[16] zeallot_0.1.0       stringi_1.4.3       compiler_3.6.1     
[19] pillar_1.4.2        backports_1.1.4     pkgconfig_2.0.2 

Note that communication to aws.s3 works great and so I know the correct roles are being assumed.

This works fine when running on my local machine which makes me think there is something wrong with how this package performs specifically when running on the aws lambda runtime environment

bneigher avatar Nov 22 '19 01:11 bneigher

Hi there, thanks for raising this issue. Just to confirm, you're saying that from the lambda function, you can perform operations with aws.s3 but not with aws.lambda? If so, I'm slightly puzzled as to what is going on.

I suspect the requirement for specifying the region comes about from aws.signature not reading .aws/config to get config settings, but I don't see why that would cause an auth issue if the region is otherwise specified.

Can you try running with options(verbose = TRUE), preferably before any aws.* packages are loaded, so there are some messages on how/where its getting credentials from, please?

jon-mago avatar Nov 22 '19 10:11 jon-mago