Feature request: Document how to debug/print the credentials used

[ryanwalls]

Trying to debug a "The security token included in the request is invalid" error and I haven't found a convenient/documented way to print out what credentials are used or where they are found. Would be great if this was part of the documentation.

I'm using the .net core SDK 3.3.162.0.

[sstevenkang]

Have you come across this page in the developer guide?

You are right that we currently don't document the credentials fallback logic very well. This CredentialsGenerator lists credential providers sorted by priority: FallbackCredentialsFactory.cs#L47.

[ryanwalls]

@sstevenkang Yep, had seen that documentation page before.

My main request would be to be able to print out each step in the credential resolution process and/or where the credential was found. The AWS cli prints the credential resolution when you turn on debug logging. I would just want something similar for the SDK.

The problem I'm running up against is that I'm setting some custom credentials in code for one of my injected AWS services (an S3 client) and somehow it appears that my separate injected service for SWF is trying to use the same credentials. (Well, I'm getting a security token error and I'm guessing that it is using the wrong credentials.... but I can't really tell.) Any tips for narrowing down the problem?

[sstevenkang]

If you could provide some sample code, that would help us figure out what's going on.

Credential resolution process is not that complicated AFAIK. The SDK just go down the list I linked above in FallbackCredentialsFactory and uses the first credential it finds.

How are you specifying your credentials? Unless you are explicitly setting them via config objects, I fail to see how the two clients would initialize with different creds.

[ryanwalls]

@sstevenkang We are initializing explicitly because we are using a Minio S3 server for S3 but using regular AWS SWF for workflow stuff.

Inside ConfigureServices:

// Initialize S3 (this is a wrapper class for the client)
services.AddSingleton<AmazonS3>(new AmazonS3(
                Path.GetTempPath(),
                this.Configuration["AWS:Region"],
                this.Configuration["CustomAWSForS3:ServiceURL"],
                Protocol.HTTP,
                this.Configuration["CustomAWSForS3:Key"],
                this.Configuration["CustomAWSForS3:Secret"]));

// Initialize SWF
services.AddAWSService<IAmazonSimpleWorkflow>();

Inside AmazonS3 wrapper class we initialize an S3 client:

new AmazonS3Client(
                    this.awsAccessKeyId,
                    this.awsSecretAccessKey,
                    new AmazonS3Config { ServiceURL = this.serviceURL, ForcePathStyle = true, UseHttp = true, AuthenticationRegion = this.region });

When we call the S3 client, everything works as expected. When we call the SWF client (which should in theory fallback to the environment variable Key/Secret we have set, it gives the token error.)

[sstevenkang]

Environment variable is the 2nd to last thing in our credentials provider list. Is there an appconfig or vs toolkit installed with a recognized "default" profile?

Also, if you set the access key and secrete key directly when creating SWF client the service, does it work as intended? I just want to make sure that the credentials fall back logic is the culprit.

[ryanwalls]

@sstevenkang Got our credential issue fixed. User error. But still would like to keep this request open for better debugging capabilities. i.e. Would like to have a log level that prints out where the credentials were found.

Thanks for your help!

[sstevenkang]

Yup, we'll keep this open. I agree it's a useful feature to add. Could you share what the user error was?

[ryanwalls]

@sstevenkang I had the AWS environment variables set in my .bash_profile, but I hadn't set them to export. I had AWS_..... = <value> instead of export AWS_.... = <value>.

This hadn't been a problem for most situations, but for this I was spawning a new process with Electronjs... and it wasn't propagating of course.

[github-actions[bot]]

We have noticed this issue has not recieved attention in a year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.