Setting both AWS_PROFILE and AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY is now issuing a warning in Javascript SDK

common-fate / granted

The easiest way to access your cloud.

https://granted.dev

MIT License

1.07k stars 93 forks source link

Setting both AWS_PROFILE and AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY is now issuing a warning in Javascript SDK #737

Open andrewpatto opened 1 month ago

andrewpatto commented 1 month ago

A recent commit

https://github.com/aws/aws-sdk-js-v3/commit/d1105e3a2619c6101ac01c2e7d9664526559b880

means that now the Javscript SDK prints a warning

Both AWS_PROFILE and the pair AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY static credentials are set.
...

I used granted in a mode where I run assume in an otherwise unconfigured shell to set the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY variables and don't use profiles anywhere downstream. I do not have AWS_PROFILE set before running assume.

Is it possible for granted to have a flag to "not set" AWS_PROFILE as part of its env variables export (now that it seems that officially the AWS SDKs are complaining about it)?

can-sahin-gowago commented 6 days ago

Came here to open up this issue. Same.

Running assume -x and I wish it doesn't export AWS_PROFILE env var.

chrnorm commented 6 days ago

Thanks @andrewpatto @can-sahin-gowago, we will need to get this behavior fixed. If you could share a copy of your ~/.aws/config with the affected profile in this issue that would be helpful (I’d like to confirm if you are using the Granted credential process integration or not). Feel free to redact account IDs etc from it.

andrewpatto commented 6 days ago

Thanks for looking into this! This is my ~/.aws/config (redacted). I do not have any ~/.aws/credentials present.

[sso-session mycompany]
sso_start_url = https://mycompany.awsapps.com/start
sso_region = ap-southeast-2
sso_registration_scopes = sso:account:access

[profile mycompany-dev]
sso_session = mycompany
sso_account_id = 000000000000
sso_role_name = AdministratorAccess
region = ap-southeast-2

After doing an assume mycompany-dev (from a shell with no AWS related environment set) - I end up with this set

GRANTED_COMMAND=mycompany-dev
AWS_ACCESS_KEY_ID=Axxxxxxxxxxx5
AWS_SECRET_ACCESS_KEY=fxxxxxxxxxxxE
AWS_SESSION_TOKEN=Ixxxxxxxxxxxxxxxxxxxxxxx=
AWS_PROFILE=mycompany-dev
AWS_REGION=ap-southeast-2
AWS_DEFAULT_REGION=ap-southeast-2
AWS_SESSION_EXPIRATION=2024-10-02T20:09:31+10:00
AWS_CREDENTIAL_EXPIRATION=2024-10-02T20:09:31+10:00
GRANTED_SSO=false

can-sahin-gowago commented 6 days ago

[profile xxxx] granted_sso_start_url = https://xxxx.awsapps.com/start/ granted_sso_region = eu-central-1 granted_sso_account_id = xxxx granted_sso_role_name = xxxx common_fate_generated_from = aws-sso credential_process = granted credential-process --profile xxxx duration_seconds = 11111

I do use the credentials process. I get the same env output as the above command. What is causing bug rarely is that (apart from the warning) sometimes I need to --export as well and .aws/credentials expire after a while but aws-cli uses still the AWS_PROFILE (that are expired now) even though my fresh creds are in the shell env via -x