search

thomasmichaelwallace / serverless-better-credentials

Better AWS credentials resolution plugin for serverless
MIT License
54 stars 9 forks source link

Doesn't work since 1.2.0 #27

Open tonivdv opened 1 year ago

tonivdv commented 1 year ago

Describe the bug Since 1.2.0 the plugin does not detect the aws profile anymore and always defaults to the "default" aws profile

To Reproduce Steps to reproduce the behavior:

  1. Upgrade to 1.2.0 in an existing project
  2. Try to deploy

Expected behavior Should deploy fine

Screenshots

sls info --aws-profile some-dev              
Running "serverless" from node_modules
✔ serverless-better-credentials: credentials resolved from config ini profile: AWS_DEFAULT_PROFILE (default)
Environment: darwin, node 16.19.1, framework 3.32.2 (local) 3.33.0v (global), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
'/20230703/eu-central-1/cloudformation/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header .....

Desktop (please complete the following information):

jsifuentes commented 1 year ago

Same. In my case, I set the AWS_PROFILE environment variable when running serverless invoke local. Worked before I upgraded my deps.

user@main project % task invoke-local            
task: [invoke-local] mkdir -p .build; cp -r config .build/
task: [invoke-local] AWS_PROFILE=myprofile npx serverless invoke local -f findingsWorker -s local -p test-input.json
Environment: darwin, node 18.16.0, framework 3.33.0 (local), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
ProcessCredentialsProviderFailure: Profile default not found
    at ProcessCredentials.load (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/process_credentials.js:80:11)
    at ProcessCredentials.coalesceRefresh (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext (/Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /Users/user/Developer/project/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:124:23
    at /Users/user/Developer/project/node_modules/aws-sdk/lib/credentials.js:212:15
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11)
kdybicz commented 1 year ago

Same issue. though I'm using:

provider:
   profile: ...

and I'm getting:

Debugger listening on ws://127.0.0.1:9229/77352f21-5b2d-4349-85e6-298c0d51aa66
For help, see: https://nodejs.org/en/docs/inspector
Environment: darwin, node 18.12.1, framework 3.33.0 (local), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
Cannot resolve serverless.yml: Variables resolution errored with:
  - Cannot resolve variable at "custom.config.env.A": Profile default did not include credential process,
  - Cannot resolve variable at "custom.config.env.B": Profile default did not include credential process,
  - Cannot resolve variable at "custom.config.env.C": Profile default did not include credential process,
  - Cannot resolve variable at "custom.config.env.D": Profile default did not include credential process
[nodemon] app crashed - waiting for file changes before starting...

where:

custom.config.env.A: ${ssm:/some/path/to/secret}
MichaelLebrand commented 1 year ago

The MR was merged but judging by the code @anaisberg was waiting for https://github.com/aws/aws-sdk-js/pull/4456 to be merged for the entire thing to work: https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L155 Right now it fails by saying the iniLoader doesn't have a loadSsoSessionsFrom function here. Some other things i noticed though:

  1. The filename is set to process the AWS_SDK_LOAD_CONFIG env var (a boolean), not the AWS_CONFIG_FILE var https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L27C48-L27C48
  2. The profilesFromConfig is set by calling getProfilesFromCredentials https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L126
  3. profilesFromCredentials is filled by getProfilesFromConfig, which sets the filename using the sharedCredentialsFileEnv var https://github.com/thomasmichaelwallace/serverless-better-credentials/blob/main/src/SsoCredentials/getSsoConfig.ts#L46
thomasmichaelwallace commented 12 months ago

This may be addressed in v1.2.1 - feel free to re-open if not.

Probotect0r commented 9 months ago

@thomasmichaelwallace I am on v1.2.1 and am still noticing this issue.

Probotect0r commented 7 months ago

@thomasmichaelwallace Was this fixed in the 2.0 release? Or 1.3.0?

thomasmichaelwallace commented 7 months ago

Can you try 2.0 and see?

tomchiverton commented 4 months ago

I'm on the plugin 2.x here and it looked like it wasn't working, because it was confused

When this happens, it logs

....config SharedIniFileCredentials: AWS_DEFAULT_PROFILE (default)

And things like 

environment:
    JWT_TOKEN: ${ssm:/goo/bar/secret/v1}

error referencing my default AWS account too.

I removed .aws/sso/cache/*json and that seemed to fix it, and it now logs, after an SSO login,

....config SsoCredentials: cli --aws-profile (sso-foo-bar)

The output of sls with --debug * and --verbose was helpful in finding this out.

Looking in these cache files, I don't see why it would pick one over the other. For instance the sso_account_id isn't in the .json, only the start_url and region. Is there a cache collision ?

Here is a defanged version of the end of my ~/.aws/config

[clientOne]
region = eu-west-2
[profile sso-clientOne-dev-serverless]
sso_start_url = https://a-sso-host-name.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 111111111
sso_role_name = clientOne-serverless-dev
region = eu-west-2
[profile sso-clientOne-live-serverless]
sso_start_url = https://a-sso-host-name.awsapps.com/start#
sso_region = eu-west-2
sso_account_id = 22222222222
sso_role_name = clientOne-serverless-dev
region = eu-west-2
[profile sso-clientTwo-serverless]
sso_start_url = https://a-sso-host-name.awsapps.com/start#
sso_region = eu-west-2
sso_account_id = 33333333333
sso_role_name = serverless-dev
region = eu-west-2

Environment: linux, node 18.17.1, framework 3.38.0 (local) 3.34.0v (global), plugin 7.2.0, SDK 4.5.1 aws-cli/2.2.18 Python/3.8.8 Linux/6.5.0-17-generic exe/x86_64.ubuntu.22 prompt/off