Cannot use credential_process on the default configuration

[luizbob]

Describe the bug

When I try to use the AWS default profile using credential_process the cli gets stuck on the process. My setup looks like this one available on the aws documentation on how to use the cli from a VM on GCP https://aws.amazon.com/blogs/security/access-aws-using-a-google-cloud-platform-native-workload-identity/ Config file:

[default]
credential_process = /opt/bin/credentials.sh

Expected Behavior

Generated the credential and use the default configuration with credential_process

Current Behavior

The command frozes and nothing happens, if not stopped, the VM frozes. debug_awscli.txt Debug logs on the file above, command executed was aws sts get-caller-identity --debug

Reproduction Steps

Follow the steps on this link: https://aws.amazon.com/blogs/security/access-aws-using-a-google-cloud-platform-native-workload-identity/ and change the config for instead of using a profile to be the default config.

Possible Solution

No response

Additional Information/Context

VM on Google cloud with a specific service account, if I try to use the setup as demonstrated on the documentation https://aws.amazon.com/blogs/security/access-aws-using-a-google-cloud-platform-native-workload-identity/ the config works as intended, but dont work when set as the default config

If the variable AWS_PROFILE is set as the profile that its configured with the credential_process, eg:

[profile aws]
credential_process = /opt/bin/credentials.sh

The same problem happens

CLI version used

aws-cli/2.17.26 Python/3.11.9

Environment details (OS name and version, etc.)

Ubuntu 24.04 LTS X64

[tim-finnigan]

Thanks for reaching out. Could you expand on this a bit more:

if I try to use the setup as demonstrated on the documentation https://aws.amazon.com/blogs/security/access-aws-using-a-google-cloud-platform-native-workload-identity/ the config works as intended, but dont work when set as the default config

I'm trying to understand specifically what are the conditions in which this is and is not working. Also for reference here is documentation on using credential_process in the AWS CLI:

• User Guide: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
• Reference Guide: https://awscli.amazonaws.com/v2/documentation/api/latest/topic/config-vars.html#sourcing-credentials-from-external-processes

(Also this documentation on credentials shows where custom processes are in the order of precedence.)

[luizbob]

Basically, I followed this https://aws.amazon.com/blogs/security/access-aws-using-a-google-cloud-platform-native-workload-identity/ on how to configure for gcp VM instance. In this blog post, the only thing that I changed was to set the credential_process as the default process to get the credentials from AWS.

The files was as following:

.aws/credentials

[default]
credential_process = /opt/bin/credentials.sh

Then I tested it, and got the logs that I provided.

[tim-finnigan]

Thanks for following up. I saw Max number of attempts exceeded (1) when attempting to retrieve data from metadata service.. Could you try increasing the retries (see: https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-retries.html) to ensure this wasn't caused by a transient network issue? Can you also confirm that you have the necessary IAM permissions to authenticate, and no proxy configurations that would be preventing the connection?

[github-actions[bot]]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

[luizbob]

Sorry for the delay on my response, I'll try the config.