AWS CLI exits successfully when unable to read from credentials file using `aws configuration get`

[jonpaul]

This is very easy to reproduce, and happened to me as a result of copying a credential file from another mount and not owning the file with my current user.

If for some reason, the user executing the aws command doesn't have file access to ~/.aws/credentials the CLI will exit 0 and echo nothing. If it so happens that you do not define a [profile <name>] for a [<name>] entry in ~/.aws/credentials AWS CLI cannot even see the values and gives you an error that the profile doesn't exist (it does).

Here is the fullest example I can produce:

➜  cosmos-hash-circuit git:(master) ✗ aws configure
AWS Access Key ID [None]: default_key
AWS Secret Access Key [None]: default_secret
Default region name [None]: us-east-1
Default output format [None]: json
➜  cosmos-hash-circuit git:(master) ✗ cat ~/.aws/config
[default]
output = json
region = us-east-1
➜  cosmos-hash-circuit git:(master) ✗ gvim ~/.aws/credentials
➜  cosmos-hash-circuit git:(master) ✗ sudo chown root:root ~/.aws/credentials
➜  cosmos-hash-circuit git:(master) ✗ sudo cat ~/.aws/credentials
[default]
aws_secret_access_key = default_secret
aws_access_key_id = default_key

[foo]
aws_secret_access_key = default_foo_secret
aws_access_key_id = default_foo_key
➜  cosmos-hash-circuit git:(master) ✗ aws configure get aws_access_key_id
➜  cosmos-hash-circuit git:(master) ✗ aws configure get aws_access_key_id --profile foo

The config profile (foo) could not be found
➜  cosmos-hash-circuit git:(master) ✗ aws configure get profile.foo.aws_access_key_id
➜  cosmos-hash-circuit git:(master) ✗ sudo aws configure get aws_access_key_id         
default_key
➜  cosmos-hash-circuit git:(master) ✗ sudo aws configure get aws_access_key_id --profile foo
default_foo_key
➜  cosmos-hash-circuit git:(master) ✗ 
➜  cosmos-hash-circuit git:(master) ✗ sudo aws configure get profile.foo.aws_access_key_id
default_foo_key

It was pretty frustrating when I realized what the problem was the whole time. It would have been nice if the CLI simply told me that it could not read from the file.

[kyleknap]

So when I ran this code, I got similar results, but I at least got a return code of 1 to indicate it failed:

$ aws configure get aws_access_key_id
$ echo $?
1

I think there needs to be an error message as well to notify the user that the file could not be read from because it is not obvious why the return code is one.

Looking at the code, the offending line is here. The problem is that python's config loader returns an empty configuration file if it cannot read from the file. Ideally, it should be raising an error. So we will have to add a check to see if it can be read from before passing it to the config loader and raise the appropriate error.

Marking as enhancement/confusing error.