search

cognitect-labs / aws-api

AWS, data driven
Apache License 2.0
727 stars 100 forks source link

sso client should not check for creds #207

Open benjamin-asdf opened 2 years ago

benjamin-asdf commented 2 years ago

Dependencies

e.g.

{:deps         com.cognitect.aws/api {:mvn/version "0.8.539"},
        com.cognitect.aws/endpoints {:mvn/version "1.1.12.110"},
        com.cognitect.aws/identitystore
        {:mvn/version "811.2.958.0",
         :aws/serviceFullName "AWS SSO Identity Store"},
}

Repro

(ns
    sso
    (:require
     [cognitect.aws.client.api
      :as
      aws]))

(def client (aws/client {:api :sso}))

;; obtain an access token
;; this will fail, if you  do not have a default profile configured

(aws/invoke
 client
 {:op :GetRoleCredentials
  :request {:accessToken "fo"
            :roleName "role"
            :accountId "id"}})

;; expectation: get some validation err because the accessToken is "fo"''

Feb 19, 2022 4:19:57 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from environment variables.
Feb 19, 2022 4:19:57 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from system properties.
Feb 19, 2022 4:19:57 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from aws profiles file.
Feb 19, 2022 4:20:00 PM clojure.tools.logging$eval15553$fn__15556 invoke
INFO: Unable to fetch credentials from any source.

It fails too early in this case. Sso should be a specail case where it doesn't look for creds because the use case is that you fetch exactly those creds.

workaround:

configure a default profile (with keys)

set system props to some dummy values etc.

benjamin-asdf commented 2 years ago

https://github.com/babashka/pod-babashka-aws/issues/55

dchelimsky commented 2 years ago

We're looking into this. We have a few possible ways to handle this case, and need to figure out which solves the problem in the most general way without breaking things or introducing new dependencies. Please stand by.

dchelimsky commented 2 years ago

@benjamin-asdf when I run your example with a dummy profile configured, I get this:

{:cognitect.anomalies/category :cognitect.anomalies/fault,
 :cognitect.anomalies/message
 "HTTP protocol violation: Authentication challenge without WWW-Authenticate header",
 ,,,}

Is that the validation err you get?

benjamin-asdf commented 2 years ago 
(aws/invoke
 (aws/client {:api :sso})
 {:op :GetRoleCredentials
  :request {:accessToken "fo"
            :roleName "role"
            :accountId "id"}})

;; without dummy

:cognitect.anomalies{:category :cognitect.anomalies/fault, :message "Unable to fetch credentials. See log for more details."}

;; with dummy ~/.aws/credentials

[default]
aws_secret_access_key = _
aws_access_key_id = _
aws_session_token = _
{:cognitect.anomalies/category :cognitect.anomalies/fault, :cognitect.anomalies/message "HTTP protocol violation: Authentication challenge without WWW-Authenticate header", :cognitect.http-client/throwable #error {
 :cause "HTTP protocol violation: Authentication challenge without WWW-Authenticate header"
 ,,,

yea seems to be the same @dchelimsky