search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.03k stars 323 forks source link

AWS CLI commands fail in `runShellScript` action with credential variables set #497

Closed patricksanders closed 1 year ago

patricksanders commented 1 year ago

When upgrading the SSM agent on Ubuntu 18.04 from 3.1.x to 3.2.x, our aws:runShellScript actions began failing with an error when AWS CLI commands are executed:

$ aws s3 cp file.xyz s3://[snip]

The config profile (default) could not be found

These commands are configured to set environment variables containing session credentials in AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN based on parameter inputs. It appears that a change between 3.1.x and 3.2.x started setting the AWS_PROFILE and AWS_SHARED_CREDENTIALS_FILE variables in the run environment, which is likely the cause of the error.

3.1.x environment:

$ env | grep AWS_ | grep -v AWS_SECRET_ACCESS_KEY
AWS_SSM_INSTANCE_ID=[snip]
AWS_SSM_PLATFORM_NAME=Ubuntu
AWS_SSM_PLATFORM_VERSION=18.04
AWS_SESSION_TOKEN=[snip]
AWS_ACCESS_KEY_ID=[snip]
AWS_SSM_REGION_NAME=us-east-1

3.2.x environment:

$ env | grep AWS_ | grep -v AWS_SECRET_ACCESS_KEY
AWS_SSM_INSTANCE_ID=[snip]
AWS_SSM_PLATFORM_NAME=Ubuntu
AWS_PROFILE=default
AWS_SSM_PLATFORM_VERSION=18.04
AWS_SESSION_TOKEN=[snip]
AWS_SHARED_CREDENTIALS_FILE=/var/lib/amazon/ssm/credentials
AWS_ACCESS_KEY_ID=[snip]
AWS_SSM_REGION_NAME=us-east-1
gianniLesl commented 1 year ago

Hi, we are rolling out a fix for this issue. It should be available in all regions by 1/27/2023

https://github.com/aws/amazon-ssm-agent/releases/tag/3.2.532.0

patricksanders commented 1 year ago

Great, thanks for the update @gianniLesl

gianniLesl commented 1 year ago

The fix is now released in all regions. Please re-open if you still experience issues with this.