Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Environment credential_source in shared config does not assume role #2385

Closed
alsmola opened this issue Jan 4, 2019 · 2 comments
Closed

Environment credential_source in shared config does not assume role #2385

alsmola opened this issue Jan 4, 2019 · 2 comments
Labels
bug This issue is a bug.

Comments

@alsmola
Copy link

alsmola commented Jan 4, 2019

Using aws-sdk-go version 1.16.13

Using go 1.10.2

Issue

When specifying a profile in a shared AWS configuration file with the credential_source value set to Environment, the credentials used are the environment variables as static credentials, rather than the assumed role credentials using the env vars. I've tested that the AWS CLI assumes the role correctly.

Steps to reproduce

Create an AWS configuration file at /home/user/.aws/config.test with the following content:

[profile-test]
credential_source = Environment
role_arn = arn:aws:iam::1234567890:role/role-test

Use the aws-sdk-go with the following code:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    Profile:           "profile-test",
    SharedConfigState: session.SharedConfigEnable,
    SharedConfigFiles: []string{"/home/user/.aws/config.test"},
}))
stsSvc := sts.New(sess)
var params *sts.GetCallerIdentityInput
resp, _ := stsSvc.GetCallerIdentity(params)
log.Printf("ARN: %s\n", *resp.Arn)

The resulting IAM ARN is the user associated with the environment variables, not the role-test IAM role.

A small change to https://github.com/aws/aws-sdk-go/blob/master/aws/session/session.go#L497-L499 fixes the behavior and makes it consistent with the Ec2Metadata credential_source behavior.

cfgCp := *cfg
cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds(envCfg.Creds)
cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts)
@diehlaws diehlaws self-assigned this Jan 7, 2019
@diehlaws diehlaws added the bug This issue is a bug. label Jan 7, 2019
@diehlaws
Copy link
Contributor

diehlaws commented Jan 7, 2019

Hi @alsmola, thanks for reaching out to us about this. I'm able to reproduce the behavior you're describing on my end, and can confirm that modifying the credSourceEnvironment case in session.go as described fixes this behavior. I will bring this up to be added in our next sprint so we can correct this behavior, and will update the issue once this is fixed.

@alewando alewando mentioned this issue Jan 20, 2019
Open
@lorengordon
Copy link

Any updates on this one? Thought I'd be able to use this feature in go-based utilities (terraform), and was surprised to find myself getting Unauthorized responses.

@jasdel jasdel closed this as completed in 8be2a09 Jun 12, 2019
@rittneje rittneje mentioned this issue Jun 18, 2019
Closed
bflad added a commit to hashicorp/terraform that referenced this issue Jun 20, 2019
@bflad
deps: github.com/aws/aws-sdk-go@v1.20.4
d780cd0 
Relevant changes:

* backend/s3: Support for chaining assume IAM role from AWS shared configuration files
* backend/s3: Fix AWS shared configuration file credential source not assuming a role with environment and ECS credentials

References:

* https://github.com/aws/aws-sdk-go/releases/tag/v1.20.0
* aws/aws-sdk-go#2579
* aws/aws-sdk-go#2385

Updated via:

```console
$ go get github.com/aws/aws-sdk-go@v1.20.4
$ go mod tidy
$ go mod vendor
```
@bflad bflad mentioned this issue Jun 20, 2019
Merged
diehlaws pushed a commit to diehlaws/aws-sdk-go that referenced this issue Jul 2, 2019
@janario @diehlaws
aws/session: Add support for chaining assume IAM role from shared con…
84cbcb6 
…fig (aws#2579)

Adds support chaining assume role credentials from the shared config/credentials files. This change allows you to create an assume role chain of multiple levels of assumed IAM roles. The config profile the deepest in the chain must use static credentials, or `credential_source`. If the deepest profile doesn't have either of these the session will fail to load.

Fixes the SDK's shared config credential source not assuming a role with environment and ECS credentials. EC2 credentials were already supported.

Fix aws#2528
Fix aws#2385

Also adds the ability to specify the Handlers the SDK should use at the SessionWithOptions. This allows the a set of handlers to be provided at the very beginning of the session credential chain.
@b-willard b-willard mentioned this issue Sep 13, 2019
Open
@diehlaws diehlaws removed their assignment Aug 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alsmola @lorengordon @diehlaws