Update credential precedence to match AWS CLI #621
Conversation
src/AWSCredentials.jl
Outdated
| elseif !isnothing(sso_start_url) | ||
| access_key, secret_key, token, expiry = _aws_get_sso_credential_details(p, ini) | ||
| return AWSCredentials(access_key, secret_key, token; expiry=expiry) |
There was a problem hiding this comment.
Potential breakage if someone was using dot_aws_config directly to get credentials for SSO support. If this is a concern I can leave this logic in place.
There was a problem hiding this comment.
I think it's probably safe to remove, but I feel like we should keep it in place. Having the rug pulled under you would be quite annoying.
There was a problem hiding this comment.
I think it's probably safe to remove, but I feel like we should keep it in place. Having the rug pulled under you would be quite annoying.
– #621 (comment)
There was a problem hiding this comment.
I'll add this back in with either a deprecation or just a comment
| if isfile(config_file) | ||
| ini = read(Inifile(), config_file) |
There was a problem hiding this comment.
We may want to refactor this credential code in the future to avoid reloading the config_file on each call. As this function and others are called in _aws_get_role we could see some improved performance with this change.
| # The AWS CLI uses the config file `credential_process` setting over | ||
| # specifying the config file `aws_access_key_id`/`aws_secret_access_key`. | ||
| @testset "precedence" begin | ||
| open(config_file, "w") do io | ||
| write( | ||
| io, | ||
| """ | ||
| [profile $(test_values["Test-Config-Profile"])] | ||
| aws_access_key_id = invalid | ||
| aws_secret_access_key = invalid | ||
| credential_process = $(abspath(credential_process_file)) | ||
| """, | ||
| ) | ||
| end | ||
|
|
||
| result = dot_aws_config(test_values["Test-Config-Profile"]) |
There was a problem hiding this comment.
Diff is pretty messy but this was refactored and moved into the "Credential Precedence" testset
|
bors try |
tryBuild failed: |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
bors try |
tryBuild failed: |
|
bors try |
tryBuild succeeded! The publicly hosted instance of bors-ng is deprecated and will go away soon. If you want to self-host your own instance, instructions are here. If you want to switch to GitHub's built-in merge queue, visit their help page. |
src/AWSCredentials.jl
Outdated
| elseif !isnothing(sso_start_url) | ||
| access_key, secret_key, token, expiry = _aws_get_sso_credential_details(p, ini) | ||
| return AWSCredentials(access_key, secret_key, token; expiry=expiry) |
There was a problem hiding this comment.
I think it's probably safe to remove, but I feel like we should keep it in place. Having the rug pulled under you would be quite annoying.
|
bors try |
tryBuild failed: |
|
bors try |
tryBuild failed: |
omus
force-pushed
the
cv/precedence
branch
2 times, most recently
from
bcb9319 to
380f7ba
Compare
|
bors try |
tryBuild succeeded! The publicly hosted instance of bors-ng is deprecated and will go away soon. If you want to self-host your own instance, instructions are here. If you want to switch to GitHub's built-in merge queue, visit their help page. |
|
bors try |
|
Alright, should be done with making any more changes to this PR. Summary of changes since the last review:
|
tryBuild succeeded! The publicly hosted instance of bors-ng is deprecated and will go away soon. If you want to self-host your own instance, instructions are here. If you want to switch to GitHub's built-in merge queue, visit their help page. |
|
bors r+ |
|
Build succeeded! The publicly hosted instance of bors-ng is deprecated and will go away soon. If you want to self-host your own instance, instructions are here. If you want to switch to GitHub's built-in merge queue, visit their help page. |
I noticed there were some credential precedence ordering differences between AWS.jl and AWS CLI. I ended up doing some experimentation with pairing different AWS CLI settings to determine the precedence ordering used by AWS CLI. Here are the results of those tests:
--profileused over envAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY--profileused over envAWS_PROFILEAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYused over envAWS_PROFILEAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYused over config filesso_*sso_*used over~/.aws/credentials(if exists)~/.aws/credentials(if exists) used over config filecredential_processcredential_processused over config fileaws_access_key_id/aws_secret_access_keyaws_access_key_id/aws_secret_access_keyused over EC2 instance metadataaws_access_key_id/aws_secret_access_keyused overAWS_CONTAINER_CREDENTIALS_FULL_URIUsing
aws-cli/2.11.13 Python/3.11.3 Darwin/22.4.0 source/arm64 prompt/offNotes:
sso_account_idorsso_role_namein a profile without othersso_*keys results in an error about missing required configuration. Definingsso_start_urlandsso_regionby themselves doesn't produce this error.AWS_SHARED_CREDENTIALS_FILEjust replaces~/.aws/credentials