serverless-better-credentials icon indicating copy to clipboard operation
serverless-better-credentials copied to clipboard

Published 20 hours ago verified publisher icon thomasmichaelwallace

Doesn't work since 1.2.0

Open tonivdv opened this issue 1 year ago • 8 comments

Describe the bug Since 1.2.0 the plugin does not detect the aws profile anymore and always defaults to the "default" aws profile

To Reproduce Steps to reproduce the behavior:

  1. Upgrade to 1.2.0 in an existing project
  2. Try to deploy

Expected behavior Should deploy fine

Screenshots

sls info --aws-profile some-dev              
Running "serverless" from node_modules
✔ serverless-better-credentials: credentials resolved from config ini profile: AWS_DEFAULT_PROFILE (default)
Environment: darwin, node 16.19.1, framework 3.32.2 (local) 3.33.0v (global), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues


Error:
'/20230703/eu-central-1/cloudformation/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header .....

Desktop (please complete the following information):

  • OS: macOS
  • Version: 13.4.1 (22F82)
  • Serverless Version: 3.32.2

tonivdv avatar Jul 03 '23 08:07 tonivdv

Same. In my case, I set the AWS_PROFILE environment variable when running serverless invoke local. Worked before I upgraded my deps.

user@main project % task invoke-local            
task: [invoke-local] mkdir -p .build; cp -r config .build/
task: [invoke-local] AWS_PROFILE=myprofile npx serverless invoke local -f findingsWorker -s local -p test-input.json
Environment: darwin, node 18.16.0, framework 3.33.0 (local), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
ProcessCredentialsProviderFailure: Profile default not found
    at ProcessCredentials.load (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/process_credentials.js:80:11)
    at ProcessCredentials.coalesceRefresh (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:124:23
    at /Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:212:15
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11)

jsifuentes avatar Jul 03 '23 19:07 jsifuentes

Same issue. though I'm using:

provider:
   profile: ...

and I'm getting:

Debugger listening on ws://127.0.0.1:9229/77352f21-5b2d-4349-85e6-298c0d51aa66
For help, see: https://nodejs.org/en/docs/inspector
Environment: darwin, node 18.12.1, framework 3.33.0 (local), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
Cannot resolve serverless.yml: Variables resolution errored with:
  - Cannot resolve variable at "custom.config.env.A": Profile default did not include credential process,
  - Cannot resolve variable at "custom.config.env.B": Profile default did not include credential process,
  - Cannot resolve variable at "custom.config.env.C": Profile default did not include credential process,
  - Cannot resolve variable at "custom.config.env.D": Profile default did not include credential process
[nodemon] app crashed - waiting for file changes before starting...

where:

custom.config.env.A: ${ssm:/some/path/to/secret}

kdybicz avatar Jul 04 '23 09:07 kdybicz

The MR was merged but judging by the code @anaisberg was waiting for https://github.com/aws/aws-sdk-js/pull/4456 to be merged for the entire thing to work: https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L155 Right now it fails by saying the iniLoader doesn't have a loadSsoSessionsFrom function here. Some other things i noticed though:

  1. The filename is set to process the AWS_SDK_LOAD_CONFIG env var (a boolean), not the AWS_CONFIG_FILE var https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L27C48-L27C48
  2. The profilesFromConfig is set by calling getProfilesFromCredentials https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L126
  3. profilesFromCredentials is filled by getProfilesFromConfig, which sets the filename using the sharedCredentialsFileEnv var https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L46

MichaelLebrand avatar Jul 04 '23 16:07 MichaelLebrand

This may be addressed in v1.2.1 - feel free to re-open if not.

thomasmichaelwallace avatar Jul 20 '23 19:07 thomasmichaelwallace

@thomasmichaelwallace I am on v1.2.1 and am still noticing this issue.

Probotect0r avatar Oct 20 '23 01:10 Probotect0r

@thomasmichaelwallace Was this fixed in the 2.0 release? Or 1.3.0?

Probotect0r avatar Dec 12 '23 16:12 Probotect0r

Can you try 2.0 and see?

thomasmichaelwallace avatar Dec 13 '23 16:12 thomasmichaelwallace

I'm on the plugin 2.x here and it looked like it wasn't working, because it was confused

When this happens, it logs

....config SharedIniFileCredentials: AWS_DEFAULT_PROFILE (default)

And things like

environment:
    JWT_TOKEN: ${ssm:/goo/bar/secret/v1}

error referencing my default AWS account too.

I removed .aws/sso/cache/*json and that seemed to fix it, and it now logs, after an SSO login,

....config SsoCredentials: cli --aws-profile (sso-foo-bar)

The output of sls with --debug * and --verbose was helpful in finding this out.

Looking in these cache files, I don't see why it would pick one over the other. For instance the sso_account_id isn't in the .json, only the start_url and region. Is there a cache collision ?

Here is a defanged version of the end of my ~/.aws/config

[clientOne]
region = eu-west-2
[profile sso-clientOne-dev-serverless]
sso_start_url = https://a-sso-host-name.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 111111111
sso_role_name = clientOne-serverless-dev
region = eu-west-2
[profile sso-clientOne-live-serverless]
sso_start_url = https://a-sso-host-name.awsapps.com/start#
sso_region = eu-west-2
sso_account_id = 22222222222
sso_role_name = clientOne-serverless-dev
region = eu-west-2
[profile sso-clientTwo-serverless]
sso_start_url = https://a-sso-host-name.awsapps.com/start#
sso_region = eu-west-2
sso_account_id = 33333333333
sso_role_name = serverless-dev
region = eu-west-2

Environment: linux, node 18.17.1, framework 3.38.0 (local) 3.34.0v (global), plugin 7.2.0, SDK 4.5.1 aws-cli/2.2.18 Python/3.8.8 Linux/6.5.0-17-generic exe/x86_64.ubuntu.22 prompt/off

tomchiverton avatar Feb 20 '24 14:02 tomchiverton

Doesn't work for me either. Here is what my profile looks like

[profile myprofile]
region = 'us-west-2'
output = 'json'
credential_process = 'mycli jit aws'

kferrone avatar Sep 25 '24 16:09 kferrone

We'll need full logs (--debug * & --verbose) to help. I'd ask on the forum first unless you can can confirm it's a bug in Sls, and not, say, in whatever that nonstandard credential_process is doing.

tomchiverton avatar Sep 25 '24 19:09 tomchiverton

Turns out I was on an older version of serverless and the global and local were mismatched. The new one works fine with credential process.

kferrone avatar Sep 25 '24 22:09 kferrone