Open Reasonably opened 11 months ago
I think this also have to be changed.
When a fromIni
call with partially resolved sso params fromSSO
, It show error because thease params not complete. https://github.com/aws/aws-sdk-js-v3/blob/736212e25faa1e013f87f8906cc6df5d437aacf2/packages/credential-provider-sso/src/fromSSO.ts#L85
I think If there is sso_session, it has to load sso_session info before validate params.
Hi @Reasonably, I can confirm the reported behavior and I also agree with this comment. I will mark this issue with a needs-review label so we can further deep into this, however, is there a specific reason why you use fromIni and not fromSSO provider?
Please let me know.
Thanks!
I just wanted to change profile using config not env, and searched "aws javascript sdk v3 change profile" to google, it shows this guide.
My app is running on k8s and it use IRSA, I've change my code like below now.
const s3Config: S3ClientConfig = {
region,
credentials: defaultProvider({ profile }),
};
const client = new S3Client(s3Config);
There is shared profile name used in my team using sso, and k8s app will use web token auth.
I think if I use fromSSO
directly, it use only sso auth not auth chain. Is it right?
@Reasonably, the default chain will try to resolve a list of defined credential providers until one of them works, but if you know which credential provider you want to use is also correct to explicitly set it when instancing the client. So, in your case do you want to always use fromSSO?
Please let me know.
Thanks!
@Reasonably, the default chain will try to resolve a list of defined credential providers until one of them works, but if you know which credential provider you want to use is also correct to explicitly set it when instancing the client. So, in your case do you want to always use fromSSO?
Please let me know.
Thanks!
I want to use sso auth(local env) and web identity token auth(production env). And I also want to set profile for not using default
profile(I don't want to set AWS_PROFILE
because I intent to set profile by a config file).
So I've tried to use fromIni
at first for setting profile, I found there is some bug I mentioned at this issue. I've changed my s3 client to use defaultProvider
now - it work well.
This is labeled as workaround-available but when I switch my use of fromIni()
to fromSSO()
I'm greeted with CredentialsProviderError: Profile dev was not found.
Which appears to be coming from here. There are two weird things about this. First, that profile does exist. Second, reproducing the lookup code in fromSSO
doesn't exhibit the same issue.
Sample INI file:
[profile dev]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = super-duper-role
region = us-west-2
output = json
[sso-session my-sso]
sso_start_url = https://my-sso.awsapps.com/start
sso_region = us-west-2
sso_registration_scopes = sso:account:access
Code that is failing:
const { fromSSO } = require('@aws-sdk/credential-providers');
const pino = require("pino");
const logger = pino({
level: 'trace',
});
const init = {
logger: logger,
profile: 'dev',
clientConfig: {
region: "us-west-2",
logger: logger,
}
}
console.log(fromSSO(init)().then((c) => {
console.log(c)
}, (err) => {
console.log(err)
}))
Code extracted from fromSSO
that should reproduce the error but works:
const { getProfileName, parseKnownFiles } =require("@smithy/shared-ini-file-loader");
const pino = require('pino');
const logger = pino({
level: 'trace',
});
const init = {
logger: logger,
profile: 'dev',
clientConfig: {
region: "us-west-2",
logger: logger,
}
}
const profileName = getProfileName(init)
console.log(profileName);
parseKnownFiles(init).then((profiles) => {
// console.log(profiles);
const profile = profiles[profileName];
console.log(profile);
});
Checkboxes for prior research
Describe the bug
I've set my ~/.aws/config like above. And I tried to make s3 client like below.
It show error when I request some s3 command
And It is in https://github.com/aws/aws-sdk-js-v3/blob/main/packages/credential-provider-sso/src/validateSsoProfile.ts#L11
It called from fromSSO (It's not problem).
And called from resolveSsoCredentials (It's the problem).
When I use fromIni, it validate my sso config before sso session data fetched yet.
I think
validateSsoProfile
already called infromSSO.ts
. It doesn`t have to check before call fromSSO on fromIni function.When I used default provider chain, it just call fromSSO directly so it worked well.
SDK version number
@aws-sdk/credential-provider@latest, @aws-sdk/s3-client@latest
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v18.16.1
Reproduction Steps
set
~/.aws/config
set
s3 client config
call command.
Observed Behavior
Expected Behavior
work well if I have permission
Possible Solution
Remove
validateSsoProfile
from https://github.com/aws/aws-sdk-js-v3/blob/main/packages/credential-provider-ini/src/resolveSsoCredentials.ts#L13Additional Information/Context
If I use default chain, it work