Aws-sdk-js: node scripts fail to authenticate when assuming role via shared credentials/config

Created on 29 Apr 2020 · 4Comments · Source: aws/aws-sdk-js

Confirm by changing [ ] to [x] below to ensure that it's a bug:

[x] I've gone through Developer Guide and API reference
[x] I've checked AWS Forums and StackOverflow for answers
[x] I've searched for previous similar issues and didn't find any solution

Describe the bug
When using a profile with a role_arn defined, API calls hang for ~60 seconds, then fail with errors.

Is the issue in the browser/Node.js?
Node.js

If on Node.js, are you running this on AWS Lambda?
This is running under macOS 10.15.4 (19E287)

Details of the browser/Node.js version
Paste output of npx envinfo --browsers or node -v
node v13.8.0

SDK version number
[email protected]

To Reproduce (observed behavior)
Environment variables:
AWS_DEFAULT_REGION=us-east-1
AWS_PROFILE=work
AWS_SDK_LOAD_CONFIG=1

(This is taken from the AWS aws-sdk-js examples)

#!/usr/bin/env node

// Load the AWS SDK for Node.js
var AWS = require('aws-sdk');

// Create S3 service object
s3 = new AWS.S3({apiVersion: '2006-03-01'});

// Call S3 to list the buckets
s3.listBuckets(function(err, data) {
  if (err) {
    console.log("Error", err);
  } else {
    console.log("Success", data.Buckets);
  }
});

Steps to reproduce the behavior (please share code or minimal repo)

Expected behavior
Produces a list of S3 buckets

Actual Behavior

$ time ./listbuckets.js
Error Error: connect ETIMEDOUT 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1137:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: -60,
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2020-04-28T23:20:47.365Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: -60,
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2020-04-28T23:20:47.365Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: -60,
      code: 'ETIMEDOUT',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2020-04-28T23:20:47.364Z,
      originalError: [Object]
    }
  }
}

real    2m32.541s
user    0m0.283s
sys 0m0.051s

Additional Context

~/.aws/config and ~/.aws/credentials are configured and work with the aws-cli.
I believe that node scripts were working as of March 26th, but I have no proof of that.
Node scripts work correctly when using a profile that does not assume a role.

* config *

[default]
region=us-east-1

[profile work-mfa]
region=us-east-1

[profile work]
region=us-east-1
source_profile=work-mfa
mfa_serial=arn:aws:iam::333333333333:mfa/[email protected]
role_arn=arn:aws:iam::931974355355:role/lc/Administrator

* credentials *

[default]
aws_access_key_id=AKIAXXXXXXXXXXXXXXXXXXXX
aws_secret_access_key=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

[work-mfa]
aws_access_key_id=AKIAPPPPPPPPPPPPPPPP
aws_secret_access_key=QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ

bug

Source

klsetzer

All 4 comments

I have tried older versions of aws-sdk-js with the same results, so I'm not at all sure this is an aws-sdk-js issue.

klsetzer on 29 Apr 2020

Hey @klsetzer thank-you for reaching out to us with your issue, I was not able to reproduce the behavior exactly, I used the reproduction steps that you mentioned, I got the same error but my request did not hang.

Is there any other context that you may share?

ajredniwja on 30 Apr 2020

❤1

This is my mistake. I thought the SDK would request an MFA token interactively by default like the aws-cli did. I don't know how I got off on this tangent. Not enough ~~COVID-19~~ caffeine.

klsetzer on 30 Apr 2020

👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.