Open fs24-chrter opened 1 month ago
Hi @fs24-chrter - thanks for reaching out and sorry to hear you're running into an error.
Before I attempt to reproduce it, can you share repro steps specific to SDK as far as how you configured the credentials and share the error logs as well? I want you to rule out everything else and simply make SDK SSMClient call with GetParametersByPathCommand
and we can further investigate.
Hi @fs24-chrter - thanks for reaching out and sorry to hear you're running into an error.
Before I attempt to reproduce it, can you share repro steps specific to SDK as far as how you configured the credentials and share the error logs as well? I want you to rule out everything else and simply make SDK SSMClient call with
GetParametersByPathCommand
and we can further investigate.
Hi @aBurmeseDev,
sure, the most simple way to reproduce is to follow the link to the Github Repo that I've provided in the description. You will find a Docker image there. If you build this and push to ECR, you can run this as is in ECS. I've documented everything in the repository but happy to replicate it also directly here.
Reproduction
Reproducable code that shows the issue:
async function getParametersWithTryCatch(uuid: string, source: string) {
let ssmClient: SSMClient;
try {
ssmClient = new SSMClient({ region: 'eu-central-1' });
// This should NOT resolve to browser config since we're running on the server side
console.log(`${uuid} [${source}] Resolved config in client: ${ssmClient.config.runtime}`)
}
catch(error) {
console.log(`${uuid} [${source}] Could not create SSMClient. ${JSON.stringify(error)}`);
return;
}
try {
const credentials = await ssmClient.config.credentials();
console.log(`${uuid} [${source}] Config credentials. Credentials: ${JSON.stringify(credentials)}`);
}
catch(error) {
console.log(`${uuid} [${source}] Could not log config credentials. ${JSON.stringify(error)}`);
return;
}
try {
const cmd = new GetParametersByPathCommand({
Path: '/INT/common',
Recursive: true,
WithDecryption: true,
});
const resp = await ssmClient.send(cmd);
console.log(`${uuid} [${source}] Got response. Response: ${JSON.stringify(resp)}`);
}
catch(error) {
console.log(`${uuid} [${source}] Could not get parameters by path. ${JSON.stringify(error)}`)
}
}
The code above fails only if it runs in the middleware. Then the error message is Credential is missing
.
If the code runs anywhere else, it runs just fine.
Credentials configuration
Credentials should be fetched via task role. For this to work, you need to configure task role e.g. with this inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:eu-central-1:<redacted>:secret:<redacted>",
"Effect": "Allow"
},
{
"Action": "ssm:GetParametersByPath",
"Resource": "*",
"Effect": "Allow"
}
]
}
Let me know if you need something else.
Seeing the same issue for dynamodb client.
Checkboxes for prior research
Describe the bug
I experienced an issue that AWS credentials could not be resolved by code that is running in a Next.js middleware. The same code is running fine if it is executed in a normal Next.js page.
SDK version number
@aws-sdk/client-ssm@3.583.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
Nextjs 14.2.3
Reproduction Steps
See reproducible isolated issue here: https://github.com/fs24-chrter/AWS-ssmclient-nextjs-issue
Observed Behavior
Middleware code is not able to fetch AWS credentials and its config resolves to a
Browser
config. Error message shown:Credential is missing
.Normal page code is able to fetch AWS credentials and its config resolves to
Node
config.Expected Behavior
I would expect that also the code running in the middleware is able to fetch AWS credentials. Since this code is executed on the server side and should have the same privileges as a normal Next.js page.
Possible Solution
It looks like the constructor of
SSMClient
resolves to a runtimeConfig that is of typeBrowser
in the middleware and therefore is not able to fetch policies from ECS task role. The same code resolves to runtimeConfig of typeNode
if running in normal Next.js page. Here the code is able to fetch the policies from ECS task role.It do not understand yet why code in the middleware thinks it's running in a Browser.
Additional Information/Context
No response