Closed Weltraumschaf closed 4 years ago
Hi @Weltraumschaf, can you please add sample code to show how you are specifying the profile you expect to be used?
The .aws/config
looks like:
[profile snafu]
region = eu-central-1
output = json
role_arn = arn:aws:iam::2...5:role/snafu-01
; source_profile = snafu
role_session_name = Fubar
The .aws/credentials
looks like:
[snafu]
aws_access_key_id = A...K
aws_secret_access_key = j...v
I also fiddling around with the source_profile
setting in the profile. I'm not sure if it has something to do with this issue. When I add it, then AWS SDK complains about "Invalid profile file: Circular relationship detected with profiles [snafu].". But aws sts get-caller-identity --profile snafu
works fine. If I remove source_profile
then AWS SDK seems to work, but aws sts ...
complains about "Partial credentials found in assume-role, missing: source_profile or credential_source". Fun fact: eksctl
works with both w/o any problem. I'm confused about profiles and the documentation I found doesn't solve my problems.
Hm, ok... Maybe I should look into Azure or GCP instead of AWS ;-)
Hey @Weltraumschaf sorry for the long delay in response here. I'll investigate.
Quick question first: if you have a region in [default] and a different region under the profile, is the region in the profile being used?
Yes it is used.
The SDK only uses the provided credentials provider to determine the credentials, not the region.
To use the region from a specific profile, you'll have to use the "aws.profile" system property or "AWS_PROFILE" environment variable to specify the profile name.
Alternatively, you can load the region from the profile file manually:
Optional<Region> profileRegion =
ProfileFile.defaultProfileFile()
.profile("snafu")
.map(p -> p.properties().get(ProfileProperty.REGION))
.map(Region::of)
We can take a feature request to make this easier to use (we have an internal "region provider" concept we could externalize, for example), since this seems like a confusing experience.
I'll go ahead and close this. Feel free to reopen if you have further questions.
I load the Profile w/:
ProfileCredentialsProvider.builder()
.profileName("snafu")
.build();
There is no good reason why this does not respect the configured region property, if all other tools (awscli and eksctl) does. Also you do not mention that anywhere in the documentation about profiles.
You're configuring the client to use the profile file for credentials, not region. In effect this is what you're doing:
S3Client client =
S3Client.builder()
.credentialsProvider(ProfileCredentialsProvider.builder().profileName("snafu").build())
.region(null) // use default region resolution logic
.build();
It's debatable whether that's a "good reason" but it's the reason. The AWS CLI does not have a way to configure credential providers and region providers separately, so that's not a great example of the Java SDK behaving different than other tools.
If you want behavior equivalent to the AWS CLI, you'll need to use the AWS_PROFILE
environment variable or the aws.profile
system property:
System.setProperty("aws.profile", "snafu");
S3Client client = S3Client.create();
It's not ideal, but if you want equivalent behavior, that's the least amount of code to do it.
Please add this to the JavaDoc of the API!
Where would the ideal location be for this documentation that a user would find it?
I would prefer a package level documentation with example code. Take a look at the Mockito Framework. This is for me the "gold standard" for good and useful JavaDoc and error/exception messages.
No offense, but the most of the SDK Javadoc is superfluous. Example: That setFoo(foo)
has a JavaDoc like "Sets the parameter foo" is not very helpful and it's waste of characters ;-)
IMHO a package level documentation with short examples in an FAQ style like: You want to set a custom region example code
like Mockito. That would have the benefit that you do not need to maintain example at a different place.
But at least it should be mentioned at ProfileCredentialsProvider.builder()
docuemtation that this defaults to null.
More I think about it: Why does it defaults to null? I try to not use null values or fail early with a propper error message to avoid problems like this. But only my clean coders opinion ;-)
Where would the ideal location be for this documentation that a user would find it?
IMO, this needs to be updated in three places:
We can take a feature request to make this easier to use (we have an internal "region provider" concept we could externalize, for example), since this seems like a confusing experience.
Absolutely there should be an easy way to draw the region from the desired profile configuration without having to manually parse the profile file or set system properties or environmental variables.
@Weltraumschaf @azlconsulting We have added a defaultProfileName
and defaultProfileFile
property to the ClientOverrideConfiguration
so that you can specify which profile is used for every piece of configuration in the client, regardless of what it is (as a final default, it's still lower priority than other ways of doing it). This includes the region.
We still need to update the docs with this, but feel free to use it before then!
Edit: @azlconsulting I've forwarded your great documentation feedback to our doc writer.
Thanks, @millems. However, it still seems to me (as @Weltraumschaf also appears to have expected) that, if you've used a ProfileCredentialsProvider, any region in the same profile should be passed to the AwsClientBuilder without needing to set defaults or parse the config file manually.
@azlconsulting We'll definitely update the documentation, but it sounds like you should then be using the defaultProfileName method mentioned above, not the credentials provider.
The credentials provider configuration only affects the credentials, where the client override configuration affects the whole client, credentials and region included.
@millems, this is the first time I'm doing anything with AWS services and I'm not a developer in the first place but this seems even more confusing to me than the previous situation - that there should be default profile file and name options in the ClientOverrideConfiguration.
Please clarify what you meant by "as a final default, it's still lower priority than other ways of doing it".
I use some profiles with a
ProfileCredentialsProvider
to do the SDK operations and my config file has no[default]
section.Expected Behavior
The region information should be used from the given profile.
Current Behavior
The SDK throws the error:
Steps to Reproduce (for bugs)
Remove the
[default]
section from the files in~/.aws
and only add theregion
in the particular profiles.Your Environment