Description of changes:
AWS CLI as well as boto3 implementation handle config & credentials files by reading the contents of both and consolidating them into a single associative array, prior to doing any processing. aws-sdk-php, on the other hand, only reads in one file when processing. This causes an issue when using assumed roles while organizing credentials the way recommended in the AWS CLI docs (the "IAM Role" tab here).
The current aws-sdk-php implementation looks like it has set up a workaround to the situation by allowing a specific filename to be passed into several of the functions, so that the developer can choose between the config or credentials file. However this would not work in the aforementioned situation where data is split between both files.
Note that aws-sdk-php does actually have a segment of code which combines the files into a single associative array; however there are a few issues:
It's only used by WebIdentity Credentials; it cannot be used by regular configuration file
It doesn't properly merge sections which exist in both files (as is done in boto3)
It doesn't respect the AWS_CONFIG_FILE environment variable which can be used to override the ~/.aws/config file path. (Note this issue seems to be present in many other locations as well)
This PR has two commits:
The first commit fixes the problem in the most minimal way. It replaces the single-ini-file handler CredentialProvider::loadProfiles() with a call to the multi-ini-file handler CredentialProvider::loadDefaultProfiles(). It also updates the latter to fix the two additional issues mentioned above. There was an additional modification added to handle the legacy filename workaround.
The second commit applies the same fix to TokenProvider / SsoTokenProvider. Additionally it updates the CredentialProvider::ini(), CredentialProvider::process() and CredentialProvider::sso() functions to support a null value for the filename override.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available: #2794
Description of changes: AWS CLI as well as
boto3
implementation handle config & credentials files by reading the contents of both and consolidating them into a single associative array, prior to doing any processing.aws-sdk-php
, on the other hand, only reads in one file when processing. This causes an issue when using assumed roles while organizing credentials the way recommended in the AWS CLI docs (the "IAM Role" tab here).The current
aws-sdk-php
implementation looks like it has set up a workaround to the situation by allowing a specific filename to be passed into several of the functions, so that the developer can choose between the config or credentials file. However this would not work in the aforementioned situation where data is split between both files.Note that
aws-sdk-php
does actually have a segment of code which combines the files into a single associative array; however there are a few issues:WebIdentity Credentials
; it cannot be used by regular configuration fileboto3
)AWS_CONFIG_FILE
environment variable which can be used to override the~/.aws/config
file path. (Note this issue seems to be present in many other locations as well)This PR has two commits:
CredentialProvider::loadProfiles()
with a call to the multi-ini-file handlerCredentialProvider::loadDefaultProfiles()
. It also updates the latter to fix the two additional issues mentioned above. There was an additional modification added to handle the legacy filename workaround.TokenProvider
/SsoTokenProvider
. Additionally it updates theCredentialProvider::ini()
,CredentialProvider::process()
andCredentialProvider::sso()
functions to support a null value for the filename override.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.