Open jaridmargolin opened 1 year ago
Set AWS Credentials of user from AccountA in env:
Need more specifics here. Are you setting env vars in your terminal and then lauching vscode using the code
command from that same terminal?
Does https://github.com/aws/aws-toolkit-vscode/issues/1351 cover your use-case?
From my initial scan, I don't see anything in #1351 that suggests it covers my use case, however I may be missing something?
Set AWS Credentials of user from AccountA in env: Need more specifics here. Are you setting env vars in your terminal and then lauching vscode using the code command from that same terminal?
To expand, at the root of the workspace I have a .envrc
file containing the env vars mentioned above:
AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=XXX
AWS_CONFIG_FILE=/path/to/config
While I do typically launch vscode from the terminal where these vars are set using direnv, I have also installed the direnv extension in vscode to ensure they are available no matter how the application was opened.
This allows me to keep my profiles installed locally within the repo/workspace. I can confirm that the .envrc
file is being sourced due to the fact that the aws-toolkit-vscode
extension is capable of resolving the profiles defined in the config file at AWS_CONFIG_FILE
.
While I do typically launch vscode from the terminal where these vars are set using direnv, I have also installed the direnv extension in vscode to ensure they are available no matter how the application was opened.
Nice, thanks for mentioning the direnv extension. https://github.com/aws/aws-toolkit-vscode/issues/1084 tracks a similar idea for "dotenv" (.env). (What is the difference between dotenv vs direnv?)
I'm guessing that things are working "by accident" and we need to look closer to ensure that all parts of the Toolkit pull from the environment when it changes. E.g. if we have an AWS service client "cached", will it check for changed environment on the next request?
My understanding is that dotenv is a utility that uses a consistent resolution mechanism to load environment variables. More specifically, it looks for a .env file in the cwd (there may be a bit more to the resolution logic). dotenv can be utilized by individual tools and processes, such as Fastlane, which automatically loads a .env file if it exists. Alternatively, an application or framework may choose to use dotenv to load a .env file at the start of the process.
On the other hand, direnv is a shell extension that adds a new feature to existing shells. It can load and unload environment variables based on the current directory. If there is a .envrc file in the directory, it will be loaded when you change into that directory. Technically, you could even have your .envrc file call dotenv if you wanted to.
While both dotenv and direnv are used to load environment variables, their usage and purpose are slightly different.
As for "tracking" this issue, the author of #1084 seems to want direct support for automatically loading dotenv
files. I don't necessarily need the AWS CLI or anything else to "support" direnv
. direnv
will automatically load env vars in my terminal when I am within a workspace, and the direnv extension will ensure that vscode automatically loads the .envrc
file upon opening. In fact, I'm not convinced if my issue is tied to direnv or not.
For the sake of testing, I moved my credentials and config file to ~/.aws
to see if I could get the extension to work with more "default" behavior and avoid any potential issues that may be caused by the extension loading order in vscode. From what I can tell, I have the same issue.
2023-03-24 20:08:31 [VERBOSE]: Profile accountBProfile contains role_arn - treating as regular Shared Credentials
2023-03-24 20:08:31 [DEBUG]: command: running "aws.codeWhisperer.refresh"
2023-03-24 20:08:31 [DEBUG]: command: running "aws.codeWhisperer.refreshRootNode"
2023-03-24 20:08:31 [DEBUG]: command: running "aws.codeWhisperer.refreshStatusBar"
2023-03-24 20:08:31 [DEBUG]: command: running "aws.codeWhisperer.updateReferenceLog"
2023-03-24 20:08:31 [DEBUG]: command: running "aws.refreshAwsExplorerNode" with arguments [[object Object]]
2023-03-24 20:08:31 [DEBUG]: telemetry: emitted metric "vscode_executeCommand"
2023-03-24 20:08:31 [DEBUG]: telemetry: emitted metric "vscode_executeCommand"
2023-03-24 20:08:31 [DEBUG]: commands: skipped telemetry for "aws.codeWhisperer.refreshStatusBar"
2023-03-24 20:08:31 [DEBUG]: commands: skipped telemetry for "aws.codeWhisperer.updateReferenceLog"
2023-03-24 20:08:31 [DEBUG]: telemetry: emitted metric "vscode_executeCommand"
2023-03-24 20:08:31 [DEBUG]: telemetry: emitted metric "aws_setCredentials"
2023-03-24 20:08:31 [DEBUG]: commands: skipped telemetry for "aws.auth.switchConnections"
2023-03-24 20:08:31 [VERBOSE]: Credentials changed (profile:sharedServicesAdmin), updating AWS Explorer
2023-03-24 20:08:31 [DEBUG]: telemetry: emitted metric "aws_validateCredentials"
2023-03-24 20:08:36 [ERROR]: AccessDenied: User: arn:aws:I am::<AccountA>:user/<AccountAUser> is not authorized to perform
Maybe to help build clarity, are you able to validate that assuming cross-account profiles work in aws-toolkit-vscode? Going back to my first comment in the thread, I am unable to get the following to work:
AWS Credentials for AccountA with a profile referencing a role in AccountB.
Problem
The UI and corresponding API calls to AWS are not using the expected credentials based on the selected profile. These profiles and accounts are actively used for CDK deployments and operations with the AWS CLI, so I am reasonably confident this issue is specific to
aws-toolkit-vscode
and not the implementation of configuration / IAM permissions.Steps to reproduce the issue
Set AWS Credentials of user from AccountA in env:
Set custom config dir (unknown if this impacts the bug but as it is part of our setup I am including it)
Set profile in config
Attempt to use Extension.
Expected behavior
The expected behavior would be for the UI and subsequent API calls to use credentials generated from the profile
accountBProfile
and call the services residing onAccountB
.Actual behavior
From the logs I am viewing, it appears the credentials are changing to
accountBProfile
, however, the subsequent API calls are being made from AWS Credentials corresponding to the user ofAccountA
and being made to the corresponding service onAccountA
.(naming modified to fit reproduction steps):
System details (run the
AWS: About Toolkit
command)