DyfanJones
commented
2 years ago Ah sorry about that, i am currently on holiday and won't be able to do any work on this for 2 weeks. However in the meantime I am happy to receive any PRs.
Closed JonMerlevede closed 1 year ago
DyfanJones
commented
2 years ago Ah sorry about that, i am currently on holiday and won't be able to do any work on this for 2 weeks. However in the meantime I am happy to receive any PRs.
DyfanJones
commented
1 year ago Hi @JonMerlevede really sorry for the super long delay in this. I have been busy working on the R AWS SDK (paws). Would a simple fix be to remove: https://github.com/DyfanJones/RAthena/blob/d8646bc2c045d576b0ff30fb444043eef97b1e09/R/Driver.R#L246 and allow boto3 do the work instead.
DyfanJones
commented
1 year ago Please try out:
remotes::install_github("dyfanjones/RAthena", ref = "arn_role")Let me know if this fixes the issue
DyfanJones
commented
1 year ago RAthena v2.6.1 has been released to cran. It now lets boto3 sdk handle the role from environment variable AWS_ROLE_ARN. If this is still any issue please re-open the ticket
Issue Description
The code for
dbConnect()checks if theAWS_ROLE_ARNenvironment variable is set, and performs an explicit assume role operation if it is. To perform the assume role operation, it calls on Boto3. Boto3 also usesAWS_ROLE_ARNto determine which role to assume, for example when using web identity authentication. This causes RAthena to try to assume role A from role A, which is always superfluous and often denied.Reproducible Example
Set the
AWS_ROLE_ARNandAWS_WEB_IDENTITY_TOKEN_FILEenvironment variables; Boto3 can now authenticate.Assuming that
AWS_ROLE_ARNhas valuearn:aws:iam::123456789101:role/A, call ondbConnect()and get the exception:If unsetting
AWS_ROLE_ARN, call ondbConnect()and get the exception:Proposed solution
Allow a value for the
aws_roleparameter that does not trigger an assume role operation, even ifAWS_ROLE_ARNis set.