search

techservicesillinois / awscli-login

​awscli-login is an AWS CLI plugin that manages retrieving and rotating Amazon STS temporary credentials using SAML ECP for authentication with optional support for Duo.
https://pypi.org/project/awscli-login/
Other
53 stars 25 forks source link

Bizarre credentials-handling behavior with awscli-login #93

Open JonRoma opened 3 years ago

JonRoma commented 3 years ago

Here's what I experienced when trying to log in to AWS this afternoon.

1: typeset -x AWS_PROFILE=production
2: aws login
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/botocore/configloader.py", line 149, in raw_config_parse
    cp.read([path])
  File "/usr/local/Cellar/python@3.9/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 697, in read
    self._read(fp, filename)
  File "/usr/local/Cellar/python@3.9/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 1070, in _read
    raise DuplicateSectionError(sectname, fpname,
configparser.DuplicateSectionError: While reading from '/Users/roma/.aws/credentials' [line 101]: section 'default' already exists

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/aws", line 27, in <module>
    sys.exit(main())
  File "/usr/local/bin/aws", line 23, in main
    return awscli.clidriver.main()
  File "/usr/local/lib/python3.9/site-packages/awscli/clidriver.py", line 69, in main
    driver = create_clidriver()
  File "/usr/local/lib/python3.9/site-packages/awscli/clidriver.py", line 78, in create_clidriver
    load_plugins(session.full_config.get('plugins', {}),
  File "/usr/local/lib/python3.9/site-packages/botocore/session.py", line 378, in full_config
    cred_profiles = botocore.configloader.raw_config_parse(
  File "/usr/local/lib/python3.9/site-packages/botocore/configloader.py", line 151, in raw_config_parse
    raise botocore.exceptions.ConfigParseError(
botocore.exceptions.ConfigParseError: Unable to parse config file: /Users/roma/.aws/credentials

I looked in my ~/.aws/credentials file and indeed saw some bizarreness. Not only did I see two [default] blocks, but I saw one block with identical values in the aws_session_token and aws_security_token. I share a sanitized version of what I found below. It was a simple matter to edit the file to remove the errant values. Thought you'd want to scratch your heads over this!

[default]
aws_access_key_id = ****
aws_secret_access_key = ****
aws_session_token = valueA
aws_security_token = valueA
[default]
aws_security_token = valueB

I am using 0.2b1.

ddriddle commented 3 years ago

@JonRoma any idea how the duplicate entries came about?

JonRoma commented 3 years ago

@ddriddle, no idea. I wasn't doing anything particularly unusual – just logging in as usual. My speculation is that my credentials expired and something went amiss, but that's just a guess.