Aws-sdk-js: role_arn should be read from ~/.aws/config instead of ~/.aws/credentials

Created on 31 Mar 2018 · 3Comments · Source: aws/aws-sdk-js

The AWS CLI documentation says you should put this in ~/.aws/config to use assumed roles:

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default

However, the SharedIniFileCredentials class in AWS SDK seems to read role_arn and source_profile from ~/.aws/credentials. I tested this using Serverless Framework (which uses AWS SDK 2.157.0) and it fails when I put role_arn in ~/.aws/config, and it works when I put it in ~/.aws/credentials.

Which one is right, config or credentials?

documentation

Source

kennu

👍4

Most helpful comment

Thanks @chrisradek, I would not have guessed to use AWS_SDK_LOAD_CONFIG. It's nice to know this now, but I think it's also something AWS could make a little clearer in documentation. Especially since people might create their ~/.aws/ files based on AWS CLI documentation and just expect them to work with AWS SDK later on.

kennu on 2 Apr 2018

👍2

All 3 comments

@kennu
The JS SDK does support the ~/.aws/config file, but for backwards compatibility reasons you also need to set the environment variable AWS_SDK_LOAD_CONFIG to a truthy value for the SDK to read it by default.

If you set the above variable to 1, then you should see the same behavior you see with the CLI.

chrisradek on 2 Apr 2018

👍1

kennu on 2 Apr 2018

👍2

@kennu @chrisradek I tried multiple times with those types of accounts and it didn't work. So I presume that Serverless doesn't work with assume roles especially with MFA.

A quick workaround is to use assumed roles https://github.com/remind101/assume-role. I was then able to use sls commands normally.