vue-cli-plugin-s3-deploy icon indicating copy to clipboard operation
vue-cli-plugin-s3-deploy copied to clipboard

Published 20 hours ago verified publisher icon multiplegeorges

Can I just use IAM Roles and not AWS IAM User API Credentials for Cloudfront Invalidations?

Open rjambs opened this issue 6 years ago • 16 comments

Hi George,

I have a problem deploying using just AWS IAM Roles. As much as possible, I would like to not put the IAM User API Credentials on the ~/.aws/credentials file. So what I did was remove that and just added an IAM Role to the instance. This worked well for uploading files to the S3 bucket but this does not seem to work for creating Cloudfront invalidations.

Is there a way around this?

Otherwise, I would be forced to add the AWS IAM User API Credentials on the instance, which upon trying works, but would be against AWS Best practices.

Trace when there is no API Credentials (just an AWS IAM Role)

 INFO  (20/20) Uploaded css/app.2894a96e.css.map
 INFO  Deployment complete.
⠋  Invalidating CloudFront distribution: <<REDACTED>> ERROR  Cloudfront Error!
 ERROR  Code: CredentialsError
 ERROR  Message: Missing credentials in config
 ERROR  AWS Request ID: undefined
✔  Invalidating CloudFront distribution: <<REDACTED>>
Done in 2.55s.

Trace when there is an API Credentials on the instance

 INFO  (20/20) Uploaded css/app.2894a96e.css.map
 INFO  Deployment complete.
⠦  Invalidating CloudFront distribution: <<REDACTED>> INFO  Invalidation ID: <<REDACTED>>
 INFO  Status: InProgress
 INFO  Call Reference: vue-cli-plugin-s3-deploy-1556876083219
 INFO  See your AWS console for on-going status on this invalidation.
✔  Invalidating CloudFront distribution: <<REDACTED>>
Done in 3.52s.

rjambs avatar May 03 '19 09:05 rjambs

Curious, does your role have S3 access? @rjambs

nicekiwi avatar May 07 '19 06:05 nicekiwi

hmm this should work as is wit your role-arn defined in the credentials or config file.

nicekiwi avatar Feb 10 '20 23:02 nicekiwi

@nicekiwi Actually I can confirm the issue over there - I'm using environment variables, but without the credentials file and it looks like it's required unfortunately

rafaljanicki avatar Feb 17 '20 05:02 rafaljanicki

@rafaljanicki which setup are you using to auth your IAM Role? As I understand it you do still have to specify the Access keys somwhere locally?

nicekiwi avatar Feb 17 '20 05:02 nicekiwi

I have awsProfile set to empty and then I specify the keys as environment variables, but w/o installing the CLI @nicekiwi

rafaljanicki avatar Feb 17 '20 05:02 rafaljanicki

@rafaljanicki what exactly is required?

nicekiwi avatar Feb 17 '20 06:02 nicekiwi

@nicekiwi As far as it looks from my perspective, the s3 plugin requires ~/.aws/credentials file configured with default credentials in order for the invalidation to work (although do note that the regular upload works just fine). I believe the simplest way to reproduce that is to:

  • remove default profile from the credentials file
  • set access key & secret key as environment variables
  • empty the awsProfile variable
  • try to run the deployment with invalidation set to true

Let me know if you have any other questions, I'll be happy to help as much as I can :-)

rafaljanicki avatar Feb 17 '20 06:02 rafaljanicki

Ooooooooooh, I see. the Cloudfront client is not setup to accept any config setup in the ~/.aws/credentials or ~/.aws/config files. Gotcha. That's easy to fix. Are you using v4.0.0-rc2 @rafaljanicki ?

nicekiwi avatar Feb 17 '20 06:02 nicekiwi

No, it's the 3.0.0. Shall I try rc2 @nicekiwi ?

rafaljanicki avatar Feb 17 '20 07:02 rafaljanicki

@rafaljanicki 4.0.0rc3 has just been released. Give it a try. Too much has changed since 3.0.0 I'm not sure I want to support it going forward.

nicekiwi avatar Feb 17 '20 08:02 nicekiwi

@nicekiwi I've just tried the latest version, but the effect is the same:

ERROR  Error: ENOENT: no such file or directory, open '/root/.aws/credentials'
 INFO  Bucket: <redacted>
 INFO  Deploying 6 assets from <redacted> to <redacted>
 INFO  (1/6) Uploaded index.html
 INFO  (2/6) Uploaded fonts/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.0509ab09.woff2
 INFO  (3/6) Uploaded fonts/flUhRq6tzZclQEJ-Vdg-IuiaDsNa.29b882f0.woff
 INFO  (4/6) Uploaded favicon.ico
 INFO  (5/6) Uploaded js/app.js
 INFO  (6/6) Uploaded js/chunk-vendors.js
 INFO  Deployment complete.
-  Invalidating CloudFront distribution: <redacted>
 ERROR  Cloudfront Error!
 ERROR  Code: CredentialsError
 ERROR  Message: Missing credentials in config
 ERROR  AWS Request ID: undefined
✔  Invalidating CloudFront distribution: <redacted>

rafaljanicki avatar Feb 17 '20 08:02 rafaljanicki

You're running as root? To use the ENV variables the awsProfile should be set to 'default'

nicekiwi avatar Feb 17 '20 09:02 nicekiwi

I'm not running it locally, BitBucket pipelines run it as a root in an isolated environment (I hope! ;) ).

I've just tried again with the default profile set and unfortunately, exactly the same error. Do you have any command/env variable I could set for debugging purposes to make it easier for you @nicekiwi ?

rafaljanicki avatar Feb 17 '20 09:02 rafaljanicki

I'm not sure. Do your ENV credentials have the roles assigned to access cloudfront?

nicekiwi avatar Feb 17 '20 09:02 nicekiwi

No, they have default set as well @nicekiwi

I mean, it's not a high priority for me at all as I just install awscli in docker and it works. But I'll be happy to help debug if you have any ideas further on

rafaljanicki avatar Feb 17 '20 09:02 rafaljanicki 

* empty the `awsProfile` variable

hmm this might cause an issue as the profile is expected to always be set even if you're not using a profile.

nicekiwi avatar Mar 17 '20 02:03 nicekiwi