Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting both AWS_PROFILE and AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY is now issuing a warning in Javascript SDK #737

Open
andrewpatto opened this issue Aug 16, 2024 · 4 comments
Open

Setting both AWS_PROFILE and AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY is now issuing a warning in Javascript SDK #737

andrewpatto opened this issue Aug 16, 2024 · 4 comments

Comments

@andrewpatto
Copy link

A recent commit

aws/aws-sdk-js-v3@d1105e3

means that now the Javscript SDK prints a warning

Both AWS_PROFILE and the pair AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY static credentials are set.
...

I used granted in a mode where I run assume in an otherwise unconfigured shell to set the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY variables
and don't use profiles anywhere downstream. I do not have AWS_PROFILE set before running assume.

Is it possible for granted to have a flag to "not set" AWS_PROFILE as part of its env variables export (now that it seems that officially the AWS SDKs are complaining about it)?
@can-sahin-gowago
Copy link

Came here to open up this issue. Same.

Running assume -x and I wish it doesn't export AWS_PROFILE env var.

@chrnorm
Copy link
Contributor

chrnorm commented Oct 1, 2024

Thanks @andrewpatto @can-sahin-gowago, we will need to get this behavior fixed. If you could share a copy of your ~/.aws/config with the affected profile in this issue that would be helpful (I’d like to confirm if you are using the Granted credential process integration or not). Feel free to redact account IDs etc from it.

@andrewpatto
Copy link
Author

Thanks for looking into this! This is my ~/.aws/config (redacted). I do not have any ~/.aws/credentials present.

[sso-session mycompany]
sso_start_url = https://mycompany.awsapps.com/start
sso_region = ap-southeast-2
sso_registration_scopes = sso:account:access

[profile mycompany-dev]
sso_session = mycompany
sso_account_id = 000000000000
sso_role_name = AdministratorAccess
region = ap-southeast-2

After doing an assume mycompany-dev (from a shell with no AWS related environment set) - I end up with this set

GRANTED_COMMAND=mycompany-dev
AWS_ACCESS_KEY_ID=Axxxxxxxxxxx5
AWS_SECRET_ACCESS_KEY=fxxxxxxxxxxxE
AWS_SESSION_TOKEN=Ixxxxxxxxxxxxxxxxxxxxxxx=
AWS_PROFILE=mycompany-dev
AWS_REGION=ap-southeast-2
AWS_DEFAULT_REGION=ap-southeast-2
AWS_SESSION_EXPIRATION=2024-10-02T20:09:31+10:00
AWS_CREDENTIAL_EXPIRATION=2024-10-02T20:09:31+10:00
GRANTED_SSO=false

@can-sahin-gowago
Copy link

[profile xxxx]
granted_sso_start_url = https://xxxx.awsapps.com/start/
granted_sso_region = eu-central-1
granted_sso_account_id = xxxx
granted_sso_role_name = xxxx
common_fate_generated_from = aws-sso
credential_process = granted credential-process --profile xxxx
duration_seconds = 11111

I do use the credentials process. I get the same env output as the above command. What is causing bug rarely is that (apart from the warning) sometimes I need to --export as well and .aws/credentials expire after a while but aws-cli uses still the AWS_PROFILE (that are expired now) even though my fresh creds are in the shell env via -x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andrewpatto @chrnorm @can-sahin-gowago