Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS profiles conflict with AWS variables exported in shell #70

Open
wwwater opened this issue Jan 24, 2018 · 5 comments
Open

AWS profiles conflict with AWS variables exported in shell #70

wwwater opened this issue Jan 24, 2018 · 5 comments

Comments

@wwwater
Copy link

wwwater commented Jan 24, 2018

ISSUE TYPE
  • Documentation Report
OS / ENVIRONMENT

*nix

SUMMARY

When I have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY exported in my .bashrc, then these are preferred to the credentials that are stated in my ~/.aws/credentials, in that way setting --profile doesn't take any effect

EXPECTED RESULTS

Could you please add this to the documentation?
https://github.com/schibsted/strongbox/wiki/MFA
@emilva
Copy link
Contributor

emilva commented Jan 24, 2018

Could you create a pull request with the clarifying information?

@wwwater
Copy link
Author

wwwater commented Jan 30, 2018
edited

@emilva
I digged a big deeper and now I think that it's actually a bug.
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
Take a look at the section below, about the precedence of credentials. It says, that if you specify "-- profile" in the command line, it should precede the ENV variables. But in your case, in doesn't. Env vars still win. This works well, in for example https://github.schibsted.io/spt-infrastructure/rhea

@emilva
Copy link
Contributor

emilva commented Jan 31, 2018

I see! It looks like Strongbox is reading ENV before System Properties and then Profile credentials. Maybe @stiankri can clarify if there was a specific reason for this ordering. If not we can probably
rearrange it to follow the cli conventions.
https://github.com/schibsted/strongbox/blob/master/sdk/src/main/java/com/schibsted/security/strongbox/sdk/internal/config/credentials/CustomCredentialsProviderChain.java

@stiankri
Copy link
Collaborator

Thanks for reporting this and apologies for not responding sooner. The goal is to be compatible with the AWS CLI so explicitly specifying --profile should indeed take precedence.

Backdrop
We started out from the AWS Java SDK's DefaultAWSCredentialsProviderChain. The Java SDK is unfortunately not compatible with the AWS CLI. In particular it was not able to handle MFA and assuming roles when using profiles, which is why we made our own CustomCredentialsProviderChain, with an improved ProfileCredentialProvider, but otherwise keeping the chain ordering (i.e. a step in the right direction).

Making the changes
Care must be taken when implementing this to not brake other expected behavior. We might be able to check if the profile is explicitly set and then call the ProfileCredentialProvider directly, rather than using the chain? At the same time it would make sense to go over the other rules to see if there is something else we have missed.

@stiankri
Copy link
Collaborator

+1 to fix this based on user feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@emilva @stiankri @wwwater