Sourcing credentials via external Process - Browser not opening up

[Tanmayshetty]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [x] I've gone though the User Guide and the API reference
• [x] I've searched for previous similar issues and didn't find any solution

Describe the bug

I am using the feature to source credentials from third-party source using credential_process https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

I would like to occasionally open up the browser to authenticate the user with the command that I run I am using CLI built with Node.js and https://github.com/sindresorhus/open to open up the browser.

This process works fine on AWS CLI v1 but fails in AWS CLI v2.

SDK version number aws-cli/2.0.44 Python/3.7.3 Linux/4.14.192-147.314.amzn2.x86_64 exe/x86_64.amzn.2

Platform/OS/Hardware/Device What are you running the cli on?

LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Amazon Description: Amazon Linux release 2 (Karoo) Release: 2 Codename: Karoo

To Reproduce (observed behavior) Steps to reproduce the behavior

1. Install open CLI (https://github.com/sindresorhus/open-cli) globally npm install --global open-cli

2. For a profile add the open-cli command to open up a browser

   [profile test]
   credential_process = open-cli https://www.amazon.com --wait

3. Run aws command with profile test.

   aws s3 ls --profile test

Expected behavior The browser should open up

Logs/output open-cli-v2.txt open-cli-v1.txt

Additional context The above will not generate the valid token but is an example for the browser not opening-up Both logs have errors, but for AWS CLI v1 browser opens up.

Edit: This issue occurs only for Firefox browser

[kdaily]

I am able to reproduce, marking as a bug. Thanks!

[joguSD]

I haven't taken a look at the logs but my hunch says it's likely the same issue as the one fixed here: https://github.com/aws/aws-cli/pull/4964

[alfonso-presa]

Hi @joguSD,

I think this is exactly what is happening to us. We have a custom credential process, and it's failing apparently because of this issue. It's a python 3 development that bootstraps a webserver and opens a webbrowser to receive credentials from our own IDP. The browser never opens.

Unsetting LD_LIBRARY_PATH prior to executing our tool in the credential_process entry inside sh -c solves the issue, but it's kind of hacky.

To reproduce the problem easily just add this to the aws config file in a linux machine:

[profile fake]
credential_process=google-chrome www.google.es

Then run AWS_PROFILE=fake aws s3 ls from a terminal.

Obviously it will fail as not credentials would be provided, but the expected behaviour would be to open the browser, and it would not.

Changing the config to:

[profile fake]
credential_process=bash -c "unset LD_LIBRARY_PATH; google-chrome www.google.es"

Would make the browser start opening.

For me it's failing with both chrome and firefox.

[alfonso-presa]

@joguSD ... I guess the issue is coming from here: https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L974, I'm going to file an issue at botocore.

[jtsoi]

@joguSD @alfonso-presa The issue is the same as for https://github.com/aws/aws-cli/pull/4964 LD_LIBRARY_PATH is added by AWS CLI PyInstaller, I don't think boto should fix it. See: https://github.com/boto/botocore/issues/2195#issuecomment-849091775

[krschwab]

I see @kdaily mentioned this issue alongside the one I filed in #6416, but I thought it was worth adding a comment here, since you would probably have to fix it in at least two places.

With external aliases, it's calling via python's subprocess directly in CLI related code (alias.py).

The credential_process external call appears to come from botocore.

[tim-finnigan]

Checking in — it looks like there have since been changes with how the path is handled. Both of these worked as expected when testing on Mac:

[profile test]
credential_process=bash -c "open http://google.com"

[profile test2]
credential_process=bash -c "'../../Applications/Google Chrome.app/Contents/MacOS/Google Chrome' 'http://google.com'"

Does this address the use case here?

Linking related docs for reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html