Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with profile-based credentials #2794

Open
BVMiko opened this issue Oct 12, 2023 · 1 comment
Open

Issues with profile-based credentials #2794

BVMiko opened this issue Oct 12, 2023 · 1 comment
Assignees
@yenfryherrerafeliz
Labels
bug This issue is a bug. p2 This is a standard priority issue queued This issues is on the AWS team's backlog

Comments

@BVMiko
Copy link

BVMiko commented Oct 12, 2023

Describe the bug

When using a specific profile (configured the AWS_PROFILE environment variable) and using role_arn for the provided profile, the CredentialProvider doesn't search the ~/.aws/credentials file for the source_profile's credentials. This is different from how it works for both AWS CLI and Python (boto3).

Expected Behavior

I expect that using the AWS_PROFILE=foobar environment variable will properly use STS by pulling the source credentials from ~/.aws/credentials.

Current Behavior

When processing the role_arn, it only searches for the credentials in the ~/.aws/config file, instead of the more appropriate ~/.aws/credentials file.

Reproduction Steps

With the ~/.aws/config:

[default]
region = us-east-1

[profile foobar]
source_profile = default
role_arn = arn:aws:iam::123:role/OrganizationAccessRole
region = us-east-1

And the ~/.aws/credentials file:

[default]
aws_access_key_id = ASIA...
aws_secret_access_key = ...
aws_session_token = ...

Use the AWS_PROFILE=foobar environment variable.

Possible Solution

The code here should first check the ~/.aws/credentials file with:

CredentialProvider::ini($sourceProfileName, null, $config)

and on rejection it should try the ~/.aws/config file as it is doing currently:

CredentialProvider::ini($sourceProfileName, $filename, $config)

Additional Information/Context

No response

SDK version used

3.283.2

Environment details (Version of PHP (php -v)? OS name and version, etc.)

PHP 8.2.11; Ubuntu Linux 22.04
@BVMiko BVMiko added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 12, 2023
@yenfryherrerafeliz yenfryherrerafeliz self-assigned this Oct 12, 2023
@yenfryherrerafeliz
Copy link
Contributor

Hi @BVMiko, sorry to hear about your issues. I can confirm the reported behavior so that I will add a needs-review label to it so we can address this further.

Test code:

<?php
require '../vendor/autoload.php';

use Aws\S3\S3Client;
use Aws\Credentials\CredentialProvider;

$client = new S3Client([
    'credentials' => CredentialProvider::ini('profile issue-2794', '/PATH/config'),
    'region' => 'us-east-2'
]);
$response = $client->listBuckets();

print_r($response);

/PATH/config

[profile issue-2794]
source_profile=default
role_arn=arn:aws:iam::account:role/Admin
region=us-east-2

/PATH/credentials

[default]
aws_access_key_id=redacted
aws_secret_access_key=redacted
aws_session_token=redacted

Thanks!

@yenfryherrerafeliz yenfryherrerafeliz added needs-review p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Oct 13, 2023
@yenfryherrerafeliz yenfryherrerafeliz added queued This issues is on the AWS team's backlog and removed needs-review labels Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yenfryherrerafeliz yenfryherrerafeliz

Labels
bug This issue is a bug. p2 This is a standard priority issue queued This issues is on the AWS team's backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BVMiko @yenfryherrerafeliz