Boto3 cannot find credentials when using AWS_PROFILE env var

[bcorijn]

Hi all,

I wanted to use this project to mock IAM roles for local containers, similar to the setup I run in my Kubernetes cluster. Since roles cannot take a IAM group as principal in the trust policy and I don't want to specify users on single app-roles, I wanted to use a "transitive" role to assume my application roles (my cluster does a similar setup with kiam). So in a very simple diagram: Local developer credentials -> iamRole DevAssume -> iamRole Application With this setup the application roles only need to trust the DevAssume role once and there's a central point to manage which principals can assume a larger collection of roles.

I checked if the metadataproxy had such an option but that doesn't seem to be the case. Luckily the AWS CLI/SDK can do natively, by declaring a role in your ~/.aws/config and then telling it to automatically assume that role with the AWS_PROFILE env var. (cfr https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html)

However, I could not get this to work on the current Docker image. I keep getting a NoCredentialsError error. A bit of debugging seems to point at the version of Boto3 installed. If I update it to latest, it does assume this role as one would expect and distribute tokens to other containers.

I made a local fork and upgraded all the pip requirements to their latest version, which still seems to work as expected. Would this be welcome as a PR? I can also include some documentation how I set up this local environment, which relies on docker-compose networking instead of IPTable rules.

[ryan-lane]

Yep. Happy to take this as a PR

On Mon, Oct 1, 2018 at 2:54 AM Bruno notifications@github.com wrote:

Hi all,

I wanted to use this project to mock IAM roles for local containers, similar to the setup I run in my Kubernetes cluster. Since roles cannot take a IAM group as principal in the trust policy and I don't want to specify users on single app-roles, I wanted to use a "transitive" role to assume my application roles (my cluster does a similar setup with kiam https://github.com/uswitch/kiam). So in a very simple diagram: Local developer credentials -> iamRole DevAssume -> iamRole Application With this setup the application roles only need to trust the DevAssume role once and there's a central point to manage which principals can assume a larger collection of roles.

I checked if the metadataproxy had such an option but that doesn't seem to be the case. Luckily the AWS CLI/SDK can do natively, by declaring a role in your ~/.aws/config and then telling it to automatically assume that role with the AWS_PROFILE env var. (cfr https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html )

However, I could not get this to work on the current Docker image. I keep getting a NoCredentialsError error. A bit of debugging seems to point at the version of Boto3 installed. If I update it to latest, it does assume this role as one would expect and distribute tokens to other containers.

I made a local fork and upgraded all the pip requirements to their latest version, which still seems to work as expected. Would this be welcome as a PR? I can also include some documentation how I set up this local environment, which relies on docker-compose networking instead of IPTable rules.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lyft/metadataproxy/issues/75, or mute the thread https://github.com/notifications/unsubscribe-auth/ABd5MgcCiN_jo1SekvFWnE3Iryo981_cks5ugeZugaJpZM4XBu3o .