-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
botocore does not ignore credential_process when that configuration value is blank (empty string) #3098
Labels
Comments
rdctmeconomou
added
bug
This issue is a confirmed bug.
needs-triage
This issue or PR still needs to be triaged.
labels
Jan 13, 2024
RyanFitzSimmonsAK
added
investigating
This issue is being investigated and/or work is in progress to resolve the issue.
credentials
p3
This is a minor priority issue
needs-review
This issue or pull request needs review from a core team member.
and removed
needs-triage
This issue or PR still needs to be triaged.
investigating
This issue is being investigated and/or work is in progress to resolve the issue.
labels
May 7, 2024
RyanFitzSimmonsAK
removed
the
needs-review
This issue or pull request needs review from a core team member.
label
May 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Describe the bug
The AWS CLI documentation on changing configuration settings using commands says:
However, if one sets
credential_process
to the empty string, botocore neither removes the configuration variable from the configuration file nor ignores its value. Instead, subsequent invocations of the AWS CLI or botocore library result in anIndexError
whenbotocore.credentials.ProcessProvider._retrieve_credentials_using()
passes an empty list derived from the empty string value tosubprocess.Popen()
at botocore/credentials.py line 1019.Expected Behavior
botocore (and by extension the AWS CLI) should act as if the
credential_process
configuration variable is unset when it has an empty string value as described in the AWS CLI documentation linked above.Current Behavior
One cannot remove the
credential_process
setting without editing the configuration file.Reproduction Steps
I've trimmed the output to focus on the expected behavior (
NoCredentialsError
inbotocore.auth.add_auth()
when no credentials are set) versus the current behavior (IndexError
insubprocess._execute_child()
whencredentials_process
is set to the empty string).Possible Solution
The simplest fix may be to treat the value of
credential_process
as a boolean when deciding whether to use it inbotocore.credentials.ProcessProvider.load()
at botocore/credentials.py line 997. The current behavior of botocore as described above is obviously wrong.While one might also modify
awscli.customizations.configure.writer.ConfigFileWriter._update_section_contents()
to delete configuration variables with empty string values, some configuration variables have different behavior when they do not exist versus when they are set to the empty string, e.g.,cli_pager
. I think the required logic to handle these cases would require too much effort to maintain for this approach to be worthwhile. Or one might define anaws configure
subcommand that deletes configuration variables, but that just shifts the maintenance burden of when to delete a configuration variable versus when to set it to the empty string from theConfigFileWriter
code to the AWS CLI or botocore documentation.Additional Information/Context
I didn't realize that AWS CLI version 2 uses its own version of botocore (cf. aws/aws-cli#6494). However, the problematic behavior is identical.
SDK version used
botocore 1.34.18 and AWS CLI 1.32.18, botocore 2.0.0dev155 and AWS CLI 2.15.10
Environment details (OS name and version, etc.)
Python 3.11.7 installed via MacPorts on macOS 12.7.1 (x86_64)
The text was updated successfully, but these errors were encountered: