Roles are not supported

[timothy-volvo]

The way the client is being instantiated, the role_arn is being ignored from the config/credentials file. According to a comment in issue 1256 of the aws-ruby-sdk, it appears the recommended way of instantiating a client is to pass the options in as a hash and let the SDK work out the security configuration.

For example:

  client_cfg = {}
  client_cfg[:region] = s3_region if s3_region
  client_cfg[:endpoint] = s3_endpoint if s3_endpoint
  client_cfg[:profile] = s3_profile if s3_profile
  client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key) if s3_access_key && s3_secret_access_key

        s3_client = Aws::S3::Client.new(client_cfg)

Here is a sample ~/.aws/credential

aws_access_key_id=XXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXXXXXXXXX

[pitdevops]
role_arn=arn:aws:iam::000000000000:role/RoleName
source_profile=default

I will create a PR

[timothy-volvo]

@joshdholtz, is this issue resolved by PR #86? I will try to test myself, but don't have an environment setup at the moment.

I have doubts as I thought Instance profiles were for EC2. If my understanding is correct, then shouldn't PR #86 have introduced a boolean flag to indicate whether to use InstanceProfile or not. If false and no other s3_* flags are set then the credentials would be resolved from the environment, which is what I am proposing in this ticket / PR #55

[joshdholtz]

@timothy-volvo I’ll take a deeper look today! I thought it did but I will make sure.

[mrosales]

#86 still won't resolve this. As an example, using STS credentials, you must pass AWS_ACCESS_KEY_ID, AWS_ACCESS_SECRET_KEY and AWS_SESSION_TOKEN. After this PR, roles assumed by STS will still not work because specifying the first two as parameters will result in incomplete credentials and omitting them results in using InstanceProfileCredentials rather than the default chain.

AWS uses some non-trivial logic to initialize a session, so unless this plugin is doing something special or custom to initialize the session, I would strongly suggest using the default credential provider chain as the default if you don't specify explicit credentials instead of using AWS:: InstanceProfileCredentials

Here's the source to what the credential chain tries to do:

It includes:

• static_credentials
• static_profile_assume_role_web_identity_credentials
• static_profile_assume_role_credentials
• static_profile_credentials
• static_profile_process_credentials
• env_credentials
• assume_role_web_identity_credentials
• assume_role_credentials
• shared_credentials
• process_credentials
• instance_profile_credentials

[joohae-kim]

I wonder if we can simply add a option variable for AWS_SESSION_TOKEN to use STS credentials
I can use session token with AWS_PROFILE options, but I have to update .aws/credential file almost every release
hence, I wish I can use the AWS_SESSION_TOKEN environmental variable

I touched up the code a little and it looks working fine for my case:
the Aws::Credentials.new() allows the session token for the third parameter, and the value is null by default

diff --git a/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb b/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
index 4a33e54..7f4f434 100644
--- a/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
+++ b/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
@@ -32,6 +32,7 @@ module Fastlane
         params[:release_notes] = config[:release_notes]
         params[:access_key] = config[:access_key]
         params[:secret_access_key] = config[:secret_access_key]
+        params[:aws_session_token] = config[:aws_session_token]
         params[:aws_profile] = config[:aws_profile]
         params[:bucket] = config[:bucket]
         params[:endpoint] = config[:endpoint]
@@ -65,6 +66,7 @@ module Fastlane
         s3_region = params[:region]
         s3_access_key = params[:access_key]
         s3_secret_access_key = params[:secret_access_key]
+        s3_session_token = params[:aws_session_token]
         s3_profile = params[:aws_profile]
         s3_bucket = params[:bucket]
         s3_endpoint = params[:endpoint]
@@ -89,7 +91,7 @@ module Fastlane
         client_cfg[:region] = s3_region if s3_region
         client_cfg[:endpoint] = s3_endpoint if s3_endpoint
         client_cfg[:profile] = s3_profile if s3_profile
-        client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key) if s3_access_key && s3_secret_access_key
+        client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key, s3_session_token) if s3_access_key && s3_secret_access_key

         s3_client = Aws::S3::Client.new(client_cfg)

@@ -736,6 +738,11 @@ module Fastlane
                                        description: "AWS Secret Access Key ",
                                        optional: true,
                                        default_value: ENV['AWS_SECRET_ACCESS_KEY']),
+          FastlaneCore::ConfigItem.new(key: :aws_session_token,
+                                       env_name: "S3_SESSION_TOKEN",
+                                       description: "AWS Session TOKEN ",
+                                       optional: true,
+                                       default_value: ENV['AWS_SESSION_TOKEN']),
           FastlaneCore::ConfigItem.new(key: :aws_profile,
                                        env_name: "S3_PROFILE",
                                        description: "AWS profile to use for credentials",