Issue
SharedCredentials not loading profiles from ~/.aws/config correctly. Whenever I am using SharedCredentials referring to a profile defined in ~/.aws/config using a role_arn, the profile is loaded, but it doesn't assume the role specified.
Tested with aws-sdk version: aws-sdk-core-2.9.13
Examples
~/.aws/credentials
[integration]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyy
[other]
aws_access_key_id = zzzzzz
aws_secret_access_key = wwwww
````
~/.aws/config
```ini
[profile dev]
role_arn = arn:aws:iam::1111111111111:role/my_role
source_profile = integration
````
Using the SDK:
```ruby
$ bundle exec irb
irb(main):001:0> require 'aws-sdk'
=> true
irb(main):002:0> cred = Aws::SharedCredentials.new(profile_name: 'dev')
=> #<Aws::SharedCredentials profile_name="dev" path="/Users/marcelo.carlos/.aws/credentials">
irb(main):003:0> client = Aws::S3::Client.new(credentials: cred, region: 'eu-west-1')
=> #<Aws::S3::Client>
irb(main):004:0> client.list_buckets
Aws::Errors::MissingCredentialsError: unable to sign request without credentials set
from /Users/my-user/.rbenv/versions/2.2.3/lib/ruby/gems/2.2.0/gems/aws-sdk-core-2.9.13/lib/aws-sdk-core/plugins/request_signer.rb:104:in `require_credentials'
## [TRUNCATED] ##
However, if using a profile specified in ~/.aws/credentials (e.g. other), it works.
After some digging, it appears to me that credentials_from_profile(prof_config) (code here) in file shared_config.rb always returns nil, since the method credentials_from_profile called by credentials_from_config expects aws_access_key_id, aws_secret_access_key and aws_session_token to be set, and they will only be set after the role is assumed. Because of that, the elsif here is never valid.
Unless I misunderstood the idea, I'd expect the Aws::SharedCredentials.new(profile_name: 'dev') to assume the role specified in the config file and work fine with Aws::S3::Client.new(credentials: cred, region: 'eu-west-1') and any other client (e.g. Aws::Cloudformation::Client. But it doesn't happen.
In other words, shouldn't Aws::SharedCredentials.new(profile_name: 'dev') automatically call Aws::STS::Client and Aws::AssumeRoleCredentials and return the assumed credentials?
Thank you
When you're using SharedCredentials directly, it expect the access key and secret key to be set. It's meant for loading static credentials from config only. You have two choices to get the behavior you want:
Aws::S3::Client.new(profile: 'dev', region: 'eu-west-1') should work with the credential files described above. The only caveat is that if you have defined environment variables with credentials, those would be loaded first using the default credential provider chain.AssumeRoleCredentials directly. Loading your credentials directly from shared config in this mode is an outstanding feature request, but it will call assume role on your behalf.I'd recommend the default credential provider chain approach.
Thanks Alex,
I'd rather avoid using the first option exactly because of the caveat of the environment variables. I've had quite a few problems with that in the past and I'd rather make everything explicit and predictable. It seems that it is the cause of the "problems" I'm having in my tests when using the default credential provider are also related to that. Even when I the profile is explicitly defined (e.g. profile: 'dev') it completely ignores it if environment variables are defined. Is that the correct behaviour even when specifying theprofile` parameter? If so, shouldn't it be a little clearer?
Anyhow, using AssumeRoleCredentials directly seems a better option. Any idea about how far is that in the roadmap?
I've implemented an method to perform that in the meantime, which parses both ~/.aws/credentials and ~/.aws/config and uses Aws::STS::Client and Aws::AssumeRoleCredentials if a profile contains role_arn. Also, if it finds source_profile it forces the use of aws_access_key_id and aws_secret_access_key of the source profile. This is working fine for me, but it is more of a temporary measure.
That does sound like another vote for the "integrate AssumeRoleCredentials with shared config" feature request.
Tracked in our feature backlog, closing.
@marcelocarlos would you mind sharing the code.
Most helpful comment
That does sound like another vote for the "integrate AssumeRoleCredentials with shared config" feature request.