Assumed Roles are ignored

[roman-parkhunovskyi]

Suppose assumed roles are used as follows:

[default]
aws_access_key_id = foo
aws_secret_access_key = bar

[test]
role_arn = arn:aws:iam::123456789012:role/group/username
source_profile = default

With the provided access configuration in either ~/.aws/credentials or ~/.aws/config it not possible to create a stack via cloudformation-ruby-dsl v1.2.1, aws-sdk-ruby 2.4.2 and ruby 2.3.0:

$ ./stack.rb create test-stack --profile test --region us-east-1 --parameters "\
Param1=1-20;\
Param2=teamname"

 /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/plugins/request_signer.rb:100:in `require_credentials': unable to sign request without credentials set (Aws::Errors::MissingCredentialsError)
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/plugins/request_signer.rb:90:in `sign_authenticated_requests'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/plugins/request_signer.rb:83:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/plugins/retry_errors.rb:87:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/query/handler.rb:27:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/plugins/user_agent.rb:12:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/seahorse/client/plugins/endpoint.rb:41:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/aws-sdk-core/plugins/param_converter.rb:20:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/seahorse/client/plugins/response_target.rb:21:in `call'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/seahorse/client/request.rb:70:in `send_request'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/aws-sdk-core-2.4.2/lib/seahorse/client/base.rb:207:in `block (2 levels) in define_operation_methods'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/cloudformation-ruby-dsl-1.2.1/lib/cloudformation-ruby-dsl/cfntemplate.rb:297:in `cfn'
   from /home/user/vendor/bundle/ruby/2.3.0/gems/cloudformation-ruby-dsl-1.2.1/lib/cloudformation-ruby-dsl/cfntemplate.rb:556:in `exec!'
   from ./stack.rb:291:in `<main>'

[temujin9]

Confirmed: I have also experienced this behavior. Correct behavior is achieved when AWS_PROFILE is set in the environment. None of '--profile', '--profile-name', or '--profile_name' appear to work as expected.

We may just need to do better work on integrating the new code into the DSL. Unfortunately, I don't have much bandwidth to tackle this before I leave for vacation. https://github.com/bazaarvoice/it-security-scripts/blob/master/deploy/nexpose-engine.rb#L42 is where my working example comes from.

[temujin9]

Also possibly relevant: I believe there's something weird about the required format of ~/.aws/config and ~/.aws/credentials.

Basically, it appears:

• You can create profiles in both
• Creating a profile in config takes stanzas like: [profile *name*]
• Creating a profile in credentials takes stanzas like: [*name*]
• The AWS SDK appears to play nice-nice with both, in my quick tests

[temujin9]

Turned out to be an upstream issue: v2.4.1 works, newer ones don't. Published a new version (1.2.2) with it pinned in the Gemfile; we should remove the constraint once the upstream issue is resolved.