pplu / aws-sdk-perl

A community AWS SDK for Perl Programmers
Other
171 stars 94 forks source link

Cannot use PAWS SSM w/ federated login #344

Open kpeters-cbsi opened 5 years ago

kpeters-cbsi commented 5 years ago

I'm trying to read a parameter from SSM using the following code. I'm using federated login, so I don't have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in %ENV, only AWS_DEFAULT_PROFILE.

#!/usr/bin/env perl

use Paws;
use Data::Dumper;
my $obj = Paws->service('SSM', region => 'us-east-1');
my $res = $obj->GetParameters(Name => '/my/test/parameter');
print Dumper $res;

But when I do that, I get:

Can't find any credentials. I tried with Paws::Credential::Environment,Paws::Credential::File,Paws::Credential::ECSContainerProfile,Paws::Credential::InstanceProfile at /home/kit/.perlbrew/libs/perl-5.30.0@lambda-cycles/lib/perl5/Paws/Credential/ProviderChain.pm line 32.

However, the AWS CLI (aws ssm get-parameters --names "/my/test/parameter") works just fine.

pplu commented 5 years ago

Hmmm... strange, since Paws::Credentials::File should be honoring the ENV var. https://github.com/pplu/aws-sdk-perl/blob/master/lib/Paws/Credential/File.pm

Can you try the following script? Does that behave correctly? It may help you isolate the problem.

use Paws::Credential::File;
my $f = Paws::Credential::File->new;
print $f->access_key;

Hope it helps.

kpeters-cbsi commented 5 years ago

Tried the script; it returned nothing.

On Thu, Sep 12, 2019 at 7:37 AM Jose Luis Martinez notifications@github.com wrote:

Hmmm... strange, since Paws::Credentials::File should be honoring the ENV var. https://github.com/pplu/aws-sdk-perl/blob/master/lib/Paws/Credential/File.pm Can you try the following script? Does that behave correctly? It may help you isolate the problem. use Paws::Credential::File; my $f = Paws::Credential::File->new; print $f->access_key; Hope it helps. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub , or mute the thread .
kpeters-cbsi commented 5 years ago

I see the problem. Here is my (redacted) environment:

AWS_DEFAULT_PROFILE=123456789012/role-name/username

And here are the contents of my (redacted) $HOME/.aws/credentials:

[123456789012/role-name/username_source]
aws_access_key_id = ASIAXPNJWRK4MDXIW7Z3
aws_secret_access_key = <REDACTED>
aws_session_token = <REDACTED>

Note how it's username_source in $HOME/.aws/credentials, but username in $ENV{AWS_DEFAULT_PROFILE}.

I don't know why _source is appended in $HOME/.aws/credentials, but I suspect it may be related to federated login via Okta.

kpeters-cbsi commented 5 years ago

This works:

#!/usr/bin/env perl

use Paws;
use Paws::Credential::File;
use Data::Dumper;
my $region = $ENV{AWS_REGION} || 'us-east-1';
my $paws = Paws->new(
  config => {
    credentials => Paws::Credential::File->new(profile => qq{$ENV{AWS_DEFAULT_PROFILE}_source}),
  }
);
my $obj = $paws->service('SSM', region => $region);
my $res = $obj->GetParameter(Name => '/my/encrypted/parameter', WithDecryption => 1);
print Dumper $res;
pplu commented 5 years ago

Thanks for your feedback! What got you to putting '_source' in the profile name? Is there a tool that does this?

I'm trying to find out if we should support always looking for a section called "$ENV{AWS_DEFAULT_PROFILE}" or "$ENV{AWS_DEFAULT_PROFILE}_source", or we should look for both...

kpeters-cbsi commented 5 years ago

I don't know why "_source" is in the profile name - that's just how the tool that my company uses to log into AWS does it. If it helps, we're using Okta for federated login.

KP

On Wed, Sep 18, 2019 at 5:28 AM Jose Luis Martinez notifications@github.com wrote:

Thanks for your feedback! What got you to putting '_source' in the profile name? Is there a tool that does this? I'm trying to find out if we should support always looking for a section called "$ENV{AWS_DEFAULT_PROFILE}" or "$ENV{AWS_DEFAULT_PROFILE}_source", or we should look for both... — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub , or mute the thread .