STS Assume Role broken - Githubissues

LuisDeSiqueira commented 5 years ago

Given a .sfn config of

# This is an auto-generated configuration file for
# the sfn CLI. To view all available configuration
# options, please see:
# http://www.sparkleformation.io/docs/sfn/configuration.html

Configuration.new do
  apply_nesting 'deep'
  aws_assume_role.status 'enabled'
  processing true
  options do
    on_failure 'nothing'
    notification_topics []
    capabilities ['CAPABILITY_IAM','CAPABILITY_NAMED_IAM']
    tags do
      creator ENV['USER']
    end
  end
  credentials do
    provider :aws
    aws_profile_name ENV['AWS_PROFILE']
  end
end

and the following dependency set

GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.5.2)
      public_suffix (>= 2.0.2, < 4.0)
    ast (2.4.0)
    attribute_struct (0.4.2)
      bogo (>= 0.1.31, < 0.3.0)
    aws-eventstream (1.0.1)
    aws-partitions (1.113.0)
    aws-sdk (3.0.1)
      aws-sdk-resources (~> 3)
    aws-sdk-acm (1.13.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-acmpca (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-alexaforbusiness (1.12.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-apigateway (1.22.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-applicationautoscaling (1.15.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-applicationdiscoveryservice (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-appstream (1.18.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-appsync (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-athena (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-autoscaling (1.12.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-autoscalingplans (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-batch (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-budgets (1.14.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-chime (1.1.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloud9 (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-clouddirectory (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudformation (1.11.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudfront (1.10.1)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudhsm (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudhsmv2 (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudsearch (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudsearchdomain (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudtrail (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudwatch (1.12.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudwatchevents (1.11.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cloudwatchlogs (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-codebuild (1.22.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-codecommit (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-codedeploy (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-codepipeline (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-codestar (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cognitoidentity (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cognitoidentityprovider (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-cognitosync (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-comprehend (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-configservice (1.19.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-connect (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-core (3.38.0)
      aws-eventstream (~> 1.0)
      aws-partitions (~> 1.0)
      aws-sigv4 (~> 1.0)
      jmespath (~> 1.0)
    aws-sdk-costandusagereportservice (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-costexplorer (1.12.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-databasemigrationservice (1.13.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-datapipeline (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-dax (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-devicefarm (1.12.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-directconnect (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-directoryservice (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-dlm (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-dynamodb (1.16.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-dynamodbstreams (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-ec2 (1.57.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-ecr (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-ecs (1.22.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-efs (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-eks (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-elasticache (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-elasticbeanstalk (1.13.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-elasticloadbalancing (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-elasticloadbalancingv2 (1.16.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-elasticsearchservice (1.14.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-elastictranscoder (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-emr (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-firehose (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-fms (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-gamelift (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-glacier (1.13.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-glue (1.20.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-greengrass (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-guardduty (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-health (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-iam (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-importexport (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv2 (~> 1.0)
    aws-sdk-inspector (1.11.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-iot (1.18.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-iot1clickdevicesservice (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-iot1clickprojects (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-iotanalytics (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-iotdataplane (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-iotjobsdataplane (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-kinesis (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-kinesisanalytics (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-kinesisvideo (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-kinesisvideoarchivedmedia (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-kinesisvideomedia (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-kms (1.11.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-lambda (1.13.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-lambdapreview (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-lex (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-lexmodelbuildingservice (1.11.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-lightsail (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-machinelearning (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-macie (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-marketplacecommerceanalytics (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-marketplaceentitlementservice (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-marketplacemetering (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mediaconvert (1.16.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-medialive (1.15.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mediapackage (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mediastore (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mediastoredata (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mediatailor (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-migrationhub (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mobile (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mq (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-mturk (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-neptune (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-opsworks (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-opsworkscm (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-organizations (1.15.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-pi (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-pinpoint (1.12.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-pinpointemail (1.0.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-polly (1.14.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-pricing (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-rds (1.37.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-redshift (1.14.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-rekognition (1.14.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-resourcegroups (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-resourcegroupstaggingapi (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-resources (3.27.0)
      aws-sdk-acm (~> 1)
      aws-sdk-acmpca (~> 1)
      aws-sdk-alexaforbusiness (~> 1)
      aws-sdk-apigateway (~> 1)
      aws-sdk-applicationautoscaling (~> 1)
      aws-sdk-applicationdiscoveryservice (~> 1)
      aws-sdk-appstream (~> 1)
      aws-sdk-appsync (~> 1)
      aws-sdk-athena (~> 1)
      aws-sdk-autoscaling (~> 1)
      aws-sdk-autoscalingplans (~> 1)
      aws-sdk-batch (~> 1)
      aws-sdk-budgets (~> 1)
      aws-sdk-chime (~> 1)
      aws-sdk-cloud9 (~> 1)
      aws-sdk-clouddirectory (~> 1)
      aws-sdk-cloudformation (~> 1)
      aws-sdk-cloudfront (~> 1)
      aws-sdk-cloudhsm (~> 1)
      aws-sdk-cloudhsmv2 (~> 1)
      aws-sdk-cloudsearch (~> 1)
      aws-sdk-cloudsearchdomain (~> 1)
      aws-sdk-cloudtrail (~> 1)
      aws-sdk-cloudwatch (~> 1)
      aws-sdk-cloudwatchevents (~> 1)
      aws-sdk-cloudwatchlogs (~> 1)
      aws-sdk-codebuild (~> 1)
      aws-sdk-codecommit (~> 1)
      aws-sdk-codedeploy (~> 1)
      aws-sdk-codepipeline (~> 1)
      aws-sdk-codestar (~> 1)
      aws-sdk-cognitoidentity (~> 1)
      aws-sdk-cognitoidentityprovider (~> 1)
      aws-sdk-cognitosync (~> 1)
      aws-sdk-comprehend (~> 1)
      aws-sdk-configservice (~> 1)
      aws-sdk-connect (~> 1)
      aws-sdk-costandusagereportservice (~> 1)
      aws-sdk-costexplorer (~> 1)
      aws-sdk-databasemigrationservice (~> 1)
      aws-sdk-datapipeline (~> 1)
      aws-sdk-dax (~> 1)
      aws-sdk-devicefarm (~> 1)
      aws-sdk-directconnect (~> 1)
      aws-sdk-directoryservice (~> 1)
      aws-sdk-dlm (~> 1)
      aws-sdk-dynamodb (~> 1)
      aws-sdk-dynamodbstreams (~> 1)
      aws-sdk-ec2 (~> 1)
      aws-sdk-ecr (~> 1)
      aws-sdk-ecs (~> 1)
      aws-sdk-efs (~> 1)
      aws-sdk-eks (~> 1)
      aws-sdk-elasticache (~> 1)
      aws-sdk-elasticbeanstalk (~> 1)
      aws-sdk-elasticloadbalancing (~> 1)
      aws-sdk-elasticloadbalancingv2 (~> 1)
      aws-sdk-elasticsearchservice (~> 1)
      aws-sdk-elastictranscoder (~> 1)
      aws-sdk-emr (~> 1)
      aws-sdk-firehose (~> 1)
      aws-sdk-fms (~> 1)
      aws-sdk-gamelift (~> 1)
      aws-sdk-glacier (~> 1)
      aws-sdk-glue (~> 1)
      aws-sdk-greengrass (~> 1)
      aws-sdk-guardduty (~> 1)
      aws-sdk-health (~> 1)
      aws-sdk-iam (~> 1)
      aws-sdk-importexport (~> 1)
      aws-sdk-inspector (~> 1)
      aws-sdk-iot (~> 1)
      aws-sdk-iot1clickdevicesservice (~> 1)
      aws-sdk-iot1clickprojects (~> 1)
      aws-sdk-iotanalytics (~> 1)
      aws-sdk-iotdataplane (~> 1)
      aws-sdk-iotjobsdataplane (~> 1)
      aws-sdk-kinesis (~> 1)
      aws-sdk-kinesisanalytics (~> 1)
      aws-sdk-kinesisvideo (~> 1)
      aws-sdk-kinesisvideoarchivedmedia (~> 1)
      aws-sdk-kinesisvideomedia (~> 1)
      aws-sdk-kms (~> 1)
      aws-sdk-lambda (~> 1)
      aws-sdk-lambdapreview (~> 1)
      aws-sdk-lex (~> 1)
      aws-sdk-lexmodelbuildingservice (~> 1)
      aws-sdk-lightsail (~> 1)
      aws-sdk-machinelearning (~> 1)
      aws-sdk-macie (~> 1)
      aws-sdk-marketplacecommerceanalytics (~> 1)
      aws-sdk-marketplaceentitlementservice (~> 1)
      aws-sdk-marketplacemetering (~> 1)
      aws-sdk-mediaconvert (~> 1)
      aws-sdk-medialive (~> 1)
      aws-sdk-mediapackage (~> 1)
      aws-sdk-mediastore (~> 1)
      aws-sdk-mediastoredata (~> 1)
      aws-sdk-mediatailor (~> 1)
      aws-sdk-migrationhub (~> 1)
      aws-sdk-mobile (~> 1)
      aws-sdk-mq (~> 1)
      aws-sdk-mturk (~> 1)
      aws-sdk-neptune (~> 1)
      aws-sdk-opsworks (~> 1)
      aws-sdk-opsworkscm (~> 1)
      aws-sdk-organizations (~> 1)
      aws-sdk-pi (~> 1)
      aws-sdk-pinpoint (~> 1)
      aws-sdk-pinpointemail (~> 1)
      aws-sdk-polly (~> 1)
      aws-sdk-pricing (~> 1)
      aws-sdk-rds (~> 1)
      aws-sdk-redshift (~> 1)
      aws-sdk-rekognition (~> 1)
      aws-sdk-resourcegroups (~> 1)
      aws-sdk-resourcegroupstaggingapi (~> 1)
      aws-sdk-route53 (~> 1)
      aws-sdk-route53domains (~> 1)
      aws-sdk-s3 (~> 1)
      aws-sdk-sagemaker (~> 1)
      aws-sdk-sagemakerruntime (~> 1)
      aws-sdk-secretsmanager (~> 1)
      aws-sdk-serverlessapplicationrepository (~> 1)
      aws-sdk-servicecatalog (~> 1)
      aws-sdk-servicediscovery (~> 1)
      aws-sdk-ses (~> 1)
      aws-sdk-shield (~> 1)
      aws-sdk-signer (~> 1)
      aws-sdk-simpledb (~> 1)
      aws-sdk-sms (~> 1)
      aws-sdk-snowball (~> 1)
      aws-sdk-sns (~> 1)
      aws-sdk-sqs (~> 1)
      aws-sdk-ssm (~> 1)
      aws-sdk-states (~> 1)
      aws-sdk-storagegateway (~> 1)
      aws-sdk-support (~> 1)
      aws-sdk-swf (~> 1)
      aws-sdk-transcribeservice (~> 1)
      aws-sdk-translate (~> 1)
      aws-sdk-waf (~> 1)
      aws-sdk-wafregional (~> 1)
      aws-sdk-workdocs (~> 1)
      aws-sdk-workmail (~> 1)
      aws-sdk-workspaces (~> 1)
      aws-sdk-xray (~> 1)
    aws-sdk-route53 (1.15.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-route53domains (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-s3 (1.23.1)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.0)
    aws-sdk-sagemaker (1.23.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-sagemakerruntime (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-secretsmanager (1.19.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-serverlessapplicationrepository (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-servicecatalog (1.13.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-servicediscovery (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-ses (1.13.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-shield (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-signer (1.4.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-simpledb (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv2 (~> 1.0)
    aws-sdk-sms (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-snowball (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-sns (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-sqs (1.9.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-ssm (1.32.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-states (1.7.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-storagegateway (1.12.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-support (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-swf (1.5.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-transcribeservice (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-translate (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-waf (1.10.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-wafregional (1.11.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-workdocs (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-workmail (1.6.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-workspaces (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sdk-xray (1.8.0)
      aws-sdk-core (~> 3, >= 3.26.0)
      aws-sigv4 (~> 1.0)
    aws-sigv2 (1.0.1)
    aws-sigv4 (1.0.3)
    bogo (0.2.12)
      hashie
      multi_json
    bogo-cli (0.2.14)
      bogo (>= 0.1.6, < 0.6)
      bogo-config (>= 0.1.15, < 0.5)
      bogo-ui
      slop (~> 3)
    bogo-config (0.2.2)
      attribute_struct
      bogo (>= 0.1.4, < 1.0)
      multi_json
      multi_xml
    bogo-ui (0.1.28)
      bogo
      command_line_reporter
      paint
    colored (1.2)
    command_line_reporter (4.0.0)
      colored (>= 1.2)
    diff-lcs (1.3)
    domain_name (0.5.20180417)
      unf (>= 0.0.5, < 1.0.0)
    graph (2.8.2)
    hashdiff (0.2.3)
    hashie (3.6.0)
    http (1.0.4)
      addressable (~> 2.3)
      http-cookie (~> 1.0)
      http-form_data (~> 1.0.1)
      http_parser.rb (~> 0.6.0)
    http-cookie (1.0.3)
      domain_name (~> 0.5)
    http-form_data (1.0.3)
    http_parser.rb (0.6.0)
    jaro_winkler (1.5.1)
    jenkins_api_client (1.5.3)
      json (>= 1.0)
      mixlib-shellout (>= 1.1.0)
      nokogiri (~> 1.6)
      socksify (>= 1.7.0)
      terminal-table (>= 1.4.0)
      thor (>= 0.16.0)
    jmespath (1.4.0)
    json (2.1.0)
    miasma (0.3.4)
      bogo (>= 0.2.2, < 1.0)
      http (>= 0.8.12, < 2.0)
      multi_json
      multi_xml
      xml-simple
    miasma-aws (0.3.22)
      miasma (>= 0.3.3, < 0.5)
    miasma-azure (0.1.4)
    miasma-google (0.1.0)
      miasma (>= 0.2.12)
      mime-types
    miasma-open-stack (0.1.4)
    miasma-rackspace (0.1.2)
      miasma-open-stack
    miasma-terraform (0.1.2)
    mime-types (3.2.2)
      mime-types-data (~> 3.2015)
    mime-types-data (3.2018.0812)
    mini_portile2 (2.3.0)
    mixlib-shellout (2.4.0)
    multi_json (1.13.1)
    multi_xml (0.6.0)
    net-ssh (5.0.2)
    nokogiri (1.8.5)
      mini_portile2 (~> 2.3.0)
    paint (2.0.1)
    parallel (1.12.1)
    parser (2.5.3.0)
      ast (~> 2.4.0)
    powerpack (0.1.2)
    public_suffix (3.0.3)
    rainbow (3.0.0)
    rake (12.3.1)
    rspec (3.8.0)
      rspec-core (~> 3.8.0)
      rspec-expectations (~> 3.8.0)
      rspec-mocks (~> 3.8.0)
    rspec-core (3.8.0)
      rspec-support (~> 3.8.0)
    rspec-expectations (3.8.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.8.0)
    rspec-mocks (3.8.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.8.0)
    rspec-support (3.8.0)
    rubocop (0.60.0)
      jaro_winkler (~> 1.5.1)
      parallel (~> 1.10)
      parser (>= 2.5, != 2.5.1.1)
      powerpack (~> 0.1)
      rainbow (>= 2.2.2, < 4.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (~> 1.4.0)
    ruby-progressbar (1.10.0)
    sfn (3.0.32)
      bogo-cli (>= 0.2.5, < 0.4)
      bogo-ui (>= 0.1.28, < 0.4)
      graph (~> 2.8.1)
      hashdiff (~> 0.2.2)
      jmespath
      miasma (>= 0.3.3, < 0.4)
      miasma-aws (>= 0.3.15, < 0.4)
      miasma-azure (>= 0.1.0, < 0.3)
      miasma-google (>= 0.1.0, < 0.3)
      miasma-open-stack (>= 0.1.0, < 0.3)
      miasma-rackspace (>= 0.1.0, < 0.3)
      miasma-terraform (>= 0.1.0, < 0.2.0)
      net-ssh
      sparkle_formation (>= 3.0.11, < 4)
    slop (3.6.0)
    socksify (1.7.1)
    sparkle_formation (3.0.32)
      attribute_struct (>= 0.3.5, < 0.5)
      bogo
      multi_json
    terminal-table (1.8.0)
      unicode-display_width (~> 1.1, >= 1.1.1)
    thor (0.20.3)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.7.5)
    unicode-display_width (1.4.0)
    xml-simple (1.1.5)

PLATFORMS
  ruby

DEPENDENCIES
  aws-sdk
  aws-sdk-cloudformation
  aws-sdk-ec2
  aws-sdk-s3
  jenkins_api_client
  rake
  rspec
  rubocop
  sfn (= 3.0.32)
  sparkle_formation

BUNDLED WITH
   1.17.1

and the following Gemfile which produces the above

# frozen_string_literal: true

source 'https://rubygems.org'

sfn_version = '3.0.32'

group :development do
  gem 'aws-sdk'
  gem 'aws-sdk-cloudformation'
  gem 'aws-sdk-ec2'
  gem 'aws-sdk-s3'
  gem 'jenkins_api_client'
  gem 'rake'
  gem 'rspec'
  gem 'rubocop', require: false
  gem 'sfn', sfn_version
  gem 'sparkle_formation'
end

The sfn list (errors with any command, list, create, etc) as executed like so AWS_PROFILE=harishtest sfn list --debug where haristest is the name of my test profile indicating a role which otherwise works with the aws cli cloudformation interface.

but here is the example config

awscli ❯ cat ~/.aws/config
[default]
region = us-east-1
output = json

[profile harishtest]
role_arn = arn:aws:iam::REDACTED:role/qa_redshift_connector_administer
source_profile = default
region = us-east-1

~/code/bitbucket/jobvite-sparkles
awscli ❯

The following error occurs

/Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/hashie-3.6.0/lib/hashie/extensions/indifferent_access.rb:71:in `convert_key': stack level too deep (SystemStackError)
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/hashie-3.6.0/lib/hashie/extensions/indifferent_access.rb:107:in `indifferent_writer'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/hashie-3.6.0/lib/hashie/extensions/coercion.rb:44:in `set_value_with_coercion'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/bogo-0.2.12/lib/bogo/smash.rb:172:in `block (2 levels) in to_type_converter'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/bogo-0.2.12/lib/bogo/smash.rb:166:in `each'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/bogo-0.2.12/lib/bogo/smash.rb:166:in `block in to_type_converter'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/bogo-0.2.12/lib/bogo/smash.rb:158:in `tap'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/bogo-0.2.12/lib/bogo/smash.rb:158:in `to_type_converter'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/bogo-0.2.12/lib/bogo/smash.rb:146:in `to_smash'
         ... 9753 levels...
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/bogo-cli-0.2.14/lib/bogo-cli/setup.rb:48:in `define'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/gems/sfn-3.0.32/bin/sfn:14:in `<top (required)>'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/bin/sfn:22:in `load'
        from /Users/l/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles_sfn_fix/bin/sfn:22:in `<main>'

If I change the following file from the miasma-aws 0.3.22 gem: miasma-0.3.22/lib/miasma-aws/api.rb from it's original state to

require 'aws-sdk-core'
require 'pp'

module Miasma
  module Contrib
    module Aws
      module Api
        # STS helper class
        class Sts < Miasma::Types::Api

          # Service name of the API
          API_SERVICE = "sts".freeze
          # Supported version of the STS API
          API_VERSION = "2011-06-15".freeze

          include Contrib::AwsApiCore::ApiCommon
          include Contrib::AwsApiCore::RequestUtils

          # Generate MFA session credentials
          #
          # @param token_code [String, Proc] Code from MFA device
          # @param args [Hash]
          # @option args [Integer] :duration life of session in seconds
          # @option args [String] :mfa_serial MFA device identification number
          # @return [Hash]
          def mfa_session(token_code, args = {})
            req_params = Smash.new.tap do |params|
              params["Action"] = "GetSessionToken"
              params["TokenCode"] = token_code.respond_to?(:call) ? token_code.call : token_code
              params["DurationSeconds"] = args[:duration] if args[:duration]
              params["SerialNumber"] = args[:mfa_serial].to_s.empty? ? default_mfa_serial : args[:mfa_serial]
            end
            result = request(
              :path => "/",
              :params => req_params,
            ).get(:body, "GetSessionTokenResponse", "GetSessionTokenResult", "Credentials")
            Smash.new(
              :aws_sts_session_token => result["SessionToken"],
              :aws_sts_session_secret_access_key => result["SecretAccessKey"],
              :aws_sts_session_access_key_id => result["AccessKeyId"],
              :aws_sts_session_token_expires => Time.parse(result["Expiration"]),
            )
          end

          # Assume new role
          #
          # @param role_arn [String] IAM Role ARN
          # @param args [Hash]
          # @option args [String] :external_id
          # @option args [String] :session_name
          # @return [Hash]
          def assume_role(role_arn, args = {})
            my_args = {}
            req_params = Smash.new.tap do |params|
              params["Action"] = "AssumeRole"
              params["RoleArn"] = role_arn
              params["RoleSessionName"] = args[:session_name] || SecureRandom.uuid.tr("-", "")
              params["ExternalId"] = args[:external_id] if args[:external_id]
              my_args[:external_id] = params["ExternalId"]
              my_args[:role_arn] = params["RoleArn"]
              my_args[:role_session_name] = params["RoleSessionName"]
            end
            sts_client = ::Aws::STS::Client.new
            response = sts_client.assume_role(
              duration_seconds: 3600,
              external_id: my_args[:external_id],
              role_arn: my_args[:role_arn],
              role_session_name: my_args[:role_session_name],
            )
            # Using information with aws-sdk-core STS client works
            Smash.new(
              :aws_sts_token => response.credentials.session_token,
              :aws_sts_secret_access_key => response.credentials.secret_access_key,
              :aws_sts_access_key_id => response.credentials.access_key_id,
              :aws_sts_token_expires => response.credentials.expiration,
              :aws_sts_assumed_role_arn => response.assumed_role_user.arn,
              :aws_sts_assumed_role_id => response.assumed_role_user.assumed_role_id,
            )
            #
            # Something about request here in assume_role recurses infinitely
            #result = request(
            #  :path => "/",
            #  :params => req_params,
            #).get(:body, "AssumeRoleResponse", "AssumeRoleResult")
            # Old Smash to go with above request
            #Smash.new(
            #  :aws_sts_token => result.get("Credentials", "SessionToken"),
            #  :aws_sts_secret_access_key => result.get("Credentials", "SecretAccessKey"),
            #  :aws_sts_access_key_id => result.get("Credentials", "AccessKeyId"),
            #  :aws_sts_token_expires => Time.parse(result.get("Credentials", "Expiration")),
            #  :aws_sts_assumed_role_arn => result.get("AssumedRoleUser", "Arn"),
            #  :aws_sts_assumed_role_id => result.get("AssumedRoleUser", "AssumedRoleId"),
            #)

          end

          # @return [String]
          def default_mfa_serial
            user_data = Iam.new(
              Smash[
                [:aws_access_key_id, :aws_secret_access_key, :aws_region].map do |key|
                  [key, attributes[key]]
                end
              ]
            ).user_info
            "arn:aws:iam::#{user_data[:account_id]}:mfa/#{user_data[:username]}"
          end
        end
      end
    end
  end
end

Essentially, using aws-sdk-core to do the sts call and filling the correct information to Smash.new, then I do not see this failure, there is a call on "retryable_requests" that recursively loops.

I doubt the correct fix is shoehorning aws-sdk-core but this is as far as I've gotten so far. If I do this change and use aws-sdk-core then everything returns as expected from

AWS_PROFILE=harishtest sfn list --debug

like so

awscli ❯ AWS_PROFILE=harishtest sfn list --debug
I, [2018-11-15T16:55:45.589416 #96035]  INFO -- : Lock aquired for stack update. Requesting stacks from upstream. (#<Thread:0x007f966807efa8>)
I, [2018-11-15T16:55:46.742730 #96035]  INFO -- : Stack list has been updated from upstream and cached locally
Name                 Created                   Updated              Status               Template Description
test                 2018-11-15 21:17:42 UTC                        CREATE_COMPLETE      kubernetes test template

I know this is effecting the sfn gem and I will post there as well. I thought I would submit the issue here as well.

here is the issue there: https://github.com/sparkleformation/sfn/issues/284

chrisroberts commented 5 years ago

Hi @LuisDeSiqueira. Thanks for the thorough issue report, it's very much appreciated :)

One followup question: Do you experience the same error if you provide your AWS configuration within the .sfn file only (and don't use the aws_profile_name setting)?

LuisDeSiqueira commented 5 years ago

Hello @chrisroberts,

Thank you for the prompt reply. If I do not provide aws_profile_name and instead obtain the value of the STS role by passing aws_sts_role_arn ENV['AWS_STS_ROLE_ARN'] in the configuration like so

# the sfn CLI. To view all available configuration
# options, please see:
# http://www.sparkleformation.io/docs/sfn/configuration.html

require_relative './lib/helpers/naming'
require_relative './lib/helpers/tagging'
require_relative './lib/helpers/getters'
require_relative './lib/helpers/raise_errors'
require_relative './lib/s3/bucket'
require_relative './lib/s3/bucket_names'
require_relative './lib/subnets/helpers'
require_relative './lib/sqs/queue'
require_relative './lib/sns/topic'
require_relative './lib/elasticsearch/metadata'
require_relative './lib/helpers/rspec'

Configuration.new do
  apply_nesting 'deep'
  processing true
  options do
    on_failure 'nothing'
    notification_topics []
    capabilities ['CAPABILITY_IAM','CAPABILITY_NAMED_IAM']
    tags do
      creator ENV['USER']
    end
  end
  credentials do
    provider :aws
    #aws_access_key_id ENV['AWS_ACCESS_KEY_ID']
    #aws_secret_access_key ENV['AWS_SECRET_ACCESS_KEY']
    #aws_region ENV['AWS_REGION']
    #aws_bucket_region ENV['AWS_REGION']
    # or use default profile in ~/.aws/credentials
    # works well with aws mfa https://jobvite.atlassian.net/wiki/display/PLAT/Set+aws+profile+credentials+with+mfa+token
    #aws_profile_name ENV['AWS_PROFILE']
    aws_sts_role_arn ENV['AWS_STS_ROLE_ARN']
  end
end

and call with ~/.rbenv/versions/2.4.1/gemsets/jobvite-sparkles/bin/sfn list --debug that it ignores the aws_sts_role_arn ENV['AWS_STS_ROLE_ARN'] completely and uses my default profile in ~/.aws/config to reach the incorrect non-STS account I default to.

if I put direct aws credentials for my default account in the SFN config then it will not go to profile and will use that configuration.

I think a crucial detail here is that I do not have regular credential access to the account that the STS role permits me access to. Therefore there is no way for me to run a test where I am authenticating regularly against that account.

pedrocarrico commented 5 years ago

@LuisDeSiqueira try to unset AWS_PROFILE in your terminal and try with just AWS_STS_ROLE_ARN

Worked for me, still I'd love to be able to use AWS_PROFILE and I'm seeing the same error as you are.

cc @chrisroberts

LuisDeSiqueira commented 5 years ago

@pedrocarrico

Thank you so much for the hint. It's true I have found that with a .sfn of

# This is an auto-generated configuration file for
# the sfn CLI. To view all available configuration
# options, please see:
# http://www.sparkleformation.io/docs/sfn/configuration.html

Configuration.new do
  apply_nesting 'deep'
  processing true
  options do
    on_failure 'nothing'
    notification_topics []
    capabilities ['CAPABILITY_IAM','CAPABILITY_NAMED_IAM']
    tags do
      creator ENV['USER']
    end
  end
  credentials do
    provider :aws
    aws_sts_role_arn ENV['AWS_STS_ROLE_ARN']
  end
end

and nothing else in my environment related to AWS

❯ printenv|grep AWS

and providing the STS var inline

❯ AWS_STS_ROLE_ARN=arn:aws:iam::REDACTED:role/qa_redshift_connector_administer sfn list
Name                 Created                   Updated              Status               Template Description
prod-udc             2018-11-16 06:23:02 UTC                        CREATE_COMPLETE      redshift_connector.rb: Creates a redshift_connector stack for 'someone' i
                                                                                         n 'prod'

I get desirable results. So this issue is at least isolated to using the ~/.aws/config type settings.

cc @chrisroberts

miasma-rb / miasma-aws

STS Assume Role broken #61