Aws-sdk-php: AssumeRoleWithWebIdentityCredentialProvider: Missing or locked AWS_WEB_IDENTITY_TOKEN_FILE

Created on 9 Dec 2020  路  4Comments  路  Source: aws/aws-sdk-php

Describe the bug
We get sporadically the following failure on assumeRoleWithWebIdentity():

[WebIdentityToken] must be a string or an object that implements __toString(). Found bool(false) (0)

Method: Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider->__invoke()

file_get_contents() return's bool(false).

It seems that the AWS_WEB_IDENTITY_TOKEN_FILE is locked or missing during loading of the file content. I don't know exactly what happens, when the token-file is updated with a new token but there seems to be a kind of race condition.

Version of AWS SDK for PHP?
v3.166.0

Version of PHP (php -v)?
PHP 7.3.25

To Reproduce (observed behavior)

I was able to reproduce it with an empty token, which leads to a similar problem:

First create an empty token file and set needed ENV's:

touch /tmp/token.file
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/token.file
export AWS_ROLE_ARN=arn:aws:iam::123456789123:policy/AnyPolicy

Code:

use Aws\Credentials\CredentialProvider;
use GuzzleHttp\Promise\Coroutine;

$provider = CredentialProvider::assumeRoleWithWebIdentityCredentialProvider([]);
/** @var Coroutine $coroutine */
$coroutine = $provider();
$coroutine->then(function () {
    echo 'success';
})->otherwise(function (\RuntimeException $e) {
    echo sprintf('%s: %s', $e->getCode(), $e->getMessage());
});

Failure:

[WebIdentityToken] expected string length to be >= 4, but found string length of 1 (0)

Expected behavior
My guess is that the token file is sporadically locked or missing when it is in exchange.
I think this should lead to an AwsException with code "InvalidIdentityToken" to trigger the retry mechanism.

bug needs-triage

Most helpful comment

Hi @tobiashaase,
Just wanted to give you an update. I discussed it with some of the other SDKs, and determined the best solution is to implement retries in a way similar to the retries for using the credential file, but with a separate retry counter. I will make the changes and update the PR ASAP.

All 4 comments

hi @tobiashaase,

Thank you for bringing this to our attention- we can definitely create a PR to check the type and length of the contents :)

I will close this issue when it is merged

-Sam

Hi @tobiashaase,
Just wanted to give you an update. I discussed it with some of the other SDKs, and determined the best solution is to implement retries in a way similar to the retries for using the credential file, but with a separate retry counter. I will make the changes and update the PR ASAP.

OK - thank you SamRemis.

鈿狅笍COMMENT VISIBILITY WARNING鈿狅笍

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Was this page helpful?
0 / 5 - 0 ratings