search

thomasmichaelwallace / serverless-better-credentials

Better AWS credentials resolution plugin for serverless
MIT License
54 stars 9 forks source link

plugin not working on aws with instance profile sourced temporary credentials #31

Closed eblfo closed 10 months ago

eblfo commented 1 year ago

Describe the bug

running sls package on instance with instance profile sourced temporary aws credentials the following error shows up: ENOENT: no such file or directory, open '/home/node/.aws/credentials'

adding the file (touch), a new error: ProcessCredentialsProviderFailure: Profile default not found (unsetting the variable with AWS_PROFLE= does not work)

Expected behavior

if no profile is set - use instance profile credentials

Screenshots

normal call:

$ SERVICE_NAME="staging-portal" npx serverless package --stage=dev

Packaging staging-portal for stage dev (us-east-1)
Environment: linux, node 16.20.0, framework 3.31.0 (local), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
Error: ENOENT: no such file or directory, open '/home/node/.aws/credentials'
    at Object.openSync (node:fs:590:3)
    at Object.readFileSync (node:fs:458:35)
    at Object.readFileSync (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/util.js:95:26)
    at IniLoader.parseFile (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:6:47)
    at IniLoader.loadFrom (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Object.getProfilesFromSharedConfig (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/util.js:962:39)
    at ProcessCredentials.load (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/process_credentials.js:75:31)
    at ProcessCredentials.coalesceRefresh (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:124:23
    at /opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:212:15
    at processTicksAndRejections (node:internal/process/task_queues:78:11)

2 deprecations found: run 'serverless doctor' for more details

with empty credentials file

$ SERVICE_NAME="staging-portal" npx serverless package --stage=dev

Packaging staging-portal for stage dev (us-east-1)
Environment: linux, node 16.20.0, framework 3.31.0 (local), plugin 6.2.3, SDK 4.3.2
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
Error: ENOENT: no such file or directory, open '/home/node/.aws/credentials'
    at Object.openSync (node:fs:590:3)
    at Object.readFileSync (node:fs:458:35)
    at Object.readFileSync (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/util.js:95:26)
    at IniLoader.parseFile (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:6:47)
    at IniLoader.loadFrom (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Object.getProfilesFromSharedConfig (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/util.js:962:39)
    at ProcessCredentials.load (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/process_credentials.js:75:31)
    at ProcessCredentials.coalesceRefresh (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext (/opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:124:23
    at /opt/buildagent/work/73c5c0396a294f8/services/lambda-api/node_modules/aws-sdk/lib/credentials.js:212:15
    at processTicksAndRejections (node:internal/process/task_queues:78:11)

2 deprecations found: run 'serverless doctor' for more details

sls yml - plugins used

frameworkVersion: '3.31.0'

plugins:
  - serverless-better-credentials # needs to be the first plugin, bypass sls aws credential resolving and add sso - does not work with instance profile credentials
  - serverless-domain-manager # careful to update, latest version uses aws sdk v3
  - serverless-offline
  - serverless-prune-plugin
  - serverless-plugin-ifelse

custom:
  region: ${env:AWS_DEFAULT_REGION, 'us-east-1'}

provider:
  name: aws
  region: ${self:custom.region}
  deploymentMethod: direct

Desktop (please complete the following information): see debug output above

guiyom-e commented 12 months ago

@eblfo what version of serverless-better-credentials are you using ? Have you tried v1.2.1 (with the latest aws-sdk v2 package installed, as it is a peer-dependency) ?

Could you share what your config file look like (~/.aws/config) ?

eblfo commented 11 months ago

i tried 1.2.1 and its the same error

there is no aws config file as the instance profile of the aws ec2 instance makes sure credentials are available (aws-sdk takes care)

currently i remove the use of the plugin when run on ec2 instance (CI process)

thomasmichaelwallace commented 10 months ago

It's a bit late, but I've added a bit to the readme about how to deal with this CI/CD scenario by creating a temporary ~/.aws/credentials file- see:

https://github.com/thomasmichaelwallace/serverless-better-credentials?tab=readme-ov-file#troubleshooting

I'll close this issue for now, but feel free to re-open if you have any trouble.

eblfo commented 10 months ago

well, my solution is to remove the plugin off the sls.yml during CI/CD

eblfo commented 10 months ago

tx for your effort

thomasmichaelwallace commented 10 months ago

Hah, also a good solution 😄