search

boto / boto3

AWS SDK for Python
https://aws.amazon.com/sdk-for-python/
Apache License 2.0
8.99k stars 1.86k forks source link

AWS_PROFILE environment variable overrides session credentials #4121

Closed dwilday closed 4 months ago

dwilday commented 4 months ago

Describe the bug

When setting up a client or session if I pass in an aws_access_key_id, aws_secret_access_key, and region it will first attempt to make a connection using the environment variable set in AWS_PROFILE.

If this variable is set incorrectly, as in there is no matching profile, a ProfileNotFound exception is thrown.

This is problematic as I've had a user with this variable set and it took a great deal of time to track down why my software wouldn't work on their machine. Whether this is used for the actual connection to the service is irrelevant as this environment variable should have nothing to do with my connection if I am manually passing in my own credentials.

Expected Behavior

If credentials are passed into the constructor for either boto3.session.Session or boto3.client the environment variable AWS_PROFILE should not utilized and no exception should be raised.

Current Behavior

If the machine has an environment variable set for AWS_PROFILE incorrectly an exception is raised by botocore/session.py regardless of whether correct credentials are passed in via the constructor.

Reproduction Steps

os.environ['AWS_PROFILE'] = 'foo'
boto3.session.Session(aws_access_key_id=AWS_ACCESS_KEY,
                                    aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
                                    region_name=AWS_REGION)

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.34.43

Environment details (OS name and version, etc.)

Mac OS Sonoma 14.4.1

RyanFitzSimmonsAK commented 4 months ago

Hi @dwilday, thanks for reaching out. This behavior is intended. Environment variables all need to be evaluated before credentials precedence, so AWS_PROFILE throwing an error before credentials are located makes sense. You can similarly test this with environment variables unrelated to credentials, such as AWS_MAX_ATTEMPTS. Setting it to a non-integer will throw an error well before any operations are attempted. Let me know if you have any follow-up questions.

github-actions[bot] commented 4 months ago

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.