search

thomasmichaelwallace / serverless-better-credentials

Better AWS credentials resolution plugin for serverless
MIT License
54 stars 9 forks source link

Plugin failed on EC2 with IAM Role #15

Closed ltricard closed 10 months ago

ltricard commented 1 year ago

Describe the bug when we use plugin on EC2 with IAM role, it doesn't work anymore

To Reproduce Steps to reproduce the behavior:

  1. Launch EC2 user with IAM Role
  2. create minimal project with serverless and serverless-better-credentials plugin
  3. npx sls info --stage dev
  4. See error

Expected behavior get credentials from IAM Role

Screenshots

[ec2-user@ip-xxx user]$ npx sls info --stage dev --verbose
Environment: linux, node 16.17.1, framework 3.23.0 (local), plugin 6.2.2, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
Error: ENOENT: no such file or directory, open '/home/ec2-user/.aws/credentials'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)

Additional infos:

[ec2-user@ip-xxx user]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************6MW2         iam-role
secret_key     ****************Zy5I         iam-role
    region                <not set>             None    None

I try to add ~/.aws/config with only 

[default]
region=eu-west-1

And try again 

[ec2-user@ip-xxx user]$ AWS_SDK_LOAD_CONFIG=1 npx sls info --stage dev
Environment: linux, node 16.17.1, framework 3.23.0 (local), plugin 6.2.2, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
ProcessCredentialsProviderFailure: Profile default did not include credential process
    at ProcessCredentials.load (/home/ec2-user/user/node_modules/aws-sdk/lib/credentials/process_credentials.js:102:11)

Desktop (please complete the following information):

Additional context When we comment the plugin, it works fine. Does it possible to have a (env?) variable to by-pass SSO authentication ? Otherwise with SSO, this plugin is great :)

vdh commented 10 months ago

@thomasmichaelwallace Is it possible to have the plugin fall back to unmodified behaviour if the .aws/credentials file is missing? This bug with IAM roles makes it hard to use the plugin since it breaks in CI.

thomasmichaelwallace commented 10 months ago

I agree this could be useful behaviour- although it could be harder than you expect to implement because of the way credentials get resolved natively by serverless is still different from the way the aws-sdk works.

For what it's worth, I think this should just work if you have the AWS_ACCESS_KEY &c. variables set in your ci/cd environment.

In general, however, I would recommend moving away from AWS managed profiles and instead using something like https://github.com/99designs/aws-vault.

thomasmichaelwallace commented 10 months ago

I don't have time to work on this plugin any more - I moved to the AWS-CDK and haven't really looked back.

But I accept PRs 😄

thomasmichaelwallace commented 10 months ago

It's a bit late, but I've added a bit to the readme about how to deal with this CI/CD scenario by creating a temporary ~/.aws/credentials file- see:

https://github.com/thomasmichaelwallace/serverless-better-credentials?tab=readme-ov-file#troubleshooting

I'll close this issue for now, but feel free to re-open if you have any trouble.