Credential importing/use is real broke

[wmelton]

Describe the bug
If you init the S3Client by passing credentials as constructor config props, Client init fails with error message:

Error: Error response received from instance metadata service
    at new ProviderError (/var/www/prod/app/node_modules/@aws-sdk/property-provider/build/ProviderError.js:17:28)
    at ClientRequest.<anonymous> (/var/www/prod/app/node_modules/@aws-sdk/credential-provider-imds/build/remoteProvider/httpGet.js:18:24)

If you follow the AWS provided documentation to put creds in a file located in the project at ~/.aws/credential, the same error is produced.

However, if you install the AWS CLI in the linux machine, and then run aws configure and save your credentials there, the error message goes away and library executes as expected.

SDK version number
0.1.0-preview.2 -- https://www.npmjs.com/package/@aws-sdk/client-s3-node

Is the issue in the browser/Node.js/ReactNative?
Node.js

Details of the browser/Node.js/ReactNative version
Node v12.18.3

To Reproduce (observed behavior)
1 - Setup clean ubuntu server running Node 12
2 - Install npm
3 - run npm install @aws-sdk/client-s3-node
4 - run an example script - this is how we are including and init-ing the aws sdk https://gist.github.com/wmelton/1be3ab49bb818daff32b563e2f035109

Expected behavior
I would expect the library to recognize that credentials are being passed to it, and to successfully execute. Different applications may run on the same EC2 instance, and therefore, for environment and app management, we would like to load credentials from process.env and not store them globally on the global environment.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[trivikr]

@wmelton Can you reproduce this issue with @aws-sdk/client-s3@gamma?
As 0.1.0-preview.2 is an old version.

[sandfox]

I've been able to reproduce this problem with "@aws-sdk/client-sts": "^1.0.0-gamma.5"

const { STSClient, AssumeRoleCommand } = require('@aws-sdk/client-sts')

const ASSUMED_ROLE_ARN = 'arn:aws:iam::111111111:role/myTestRole'
const ASSUMED_ROLE_DURATION = 43200
const ASSUMED_ROLE_SESSION_NAME = 'test'

const t = async() => {
	const sts = new STSClient({
		accessKeyId: key,
		secretAccessKey: secret,
		region: 'eu-west-1'
	})

    const command = new AssumeRoleCommand({
      RoleArn: ASSUMED_ROLE_ARN,
      RoleSessionName: ASSUMED_ROLE_SESSION_NAME,
      DurationSeconds: ASSUMED_ROLE_DURATION
    })

    const res = await sts.send(command)

    console.log(res)
}
t().then().catch(console.log)

Error: Unable to connect to instance metadata service
    at new ProviderError (/Users/sandfox/code/demo/node_modules/@aws-sdk/property-provider/dist/cjs/ProviderError.js:18:28)
    at ClientRequest.<anonymous> (/Users/sandfox/code/demo/node_modules/@aws-sdk/credential-provider-imds/dist/cjs/remoteProvider/httpRequest.js:15:34)
    at ClientRequest.emit (events.js:315:20)
    at Socket.socketErrorListener (_http_client.js:426:9)
    at Socket.emit (events.js:315:20)
    at emitErrorNT (internal/streams/destroy.js:92:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
    at processTicksAndRejections (internal/process/task_queues.js:84:21) {
  tryNextLink: true,
  errno: 'EHOSTDOWN',
  code: 'EHOSTDOWN',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  '$metadata': { attempts: 1, totalRetryDelay: 0 }

If the credentials are supplied in a credentials object, then everything works as expected:
abbreviated from example above

const credentials = {
	accessKeyId: key,
	secretAccessKey: secret,
}

const sts = new STSClient({
	credentials,
	region: 'eu-west-1'
})

[wmelton]

Pinging this thread - any update here? Continuing to see this issue appear across our deployments.

[trivikr]

The accessKeyId and secretAccessKey need to be part of credentials parameter during client creation. It's verified in the code mentioned by @sandfox

const credentials = {
	accessKeyId: key,
	secretAccessKey: secret,
}

const sts = new STSClient({
	credentials,
	region: 'eu-west-1'
})

What's the issue here?

[wmelton]

@trivikr The issue, from my vantage point, is that all of the documentation that turns up when you Google for support docs to use your products tell us these solutions should work:

• Including a .aws/credentials folder and file in the repo will be automatically pulled in
• configuring env variables through aws cli configure will be automatically pulled in

In our tests, neither of those actually work. You must physically put the credentials in the code base (which is against AWS recommendation because of security risks) and then pass them in to the library at init time.

So if the correct way to instantiate the library is to store your credentials in plain site in the repo and then include them, why is all of the online documentation silent on that guidance but instead tells us to use more secure methods like hidden folders and/or global env variables set in the instance via CLI?

[trivikr]

@wmelton All the sections in Setting Credentials in Node.js section of Developer Guide are tested and they don't require passing credentials during client creation.

The credentials needs to be passed in the web browser to authenticate users, and we have Developer Guide on how to do it using Amazon Cognito.

Can you share which docs you referred to?

[wmelton]

@trivikr Sure - following the link from the page you shared, we have not found the guidance here to work https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-node-credentials-shared.html

Perhaps we've missed something in our implementation. In our initial reading of the copy, we assumed it was a hidden folder in the root of the project like I mentioned above. Is the documentation truly pointing to user's root home folder?

[trivikr]

Perhaps we've missed something in our implementation. In our initial reading of the copy, we assumed it was a hidden folder in the root of the project like I mentioned above.

From the relevant documentation from Loading credentials in Node.js from the shared credentials file:

Where you keep the shared credentials file depends on your operating system:

• The shared credentials file on Linux, Unix, and macOS: ~/.aws/credentials
• The shared credentials file on Windows: C:\Users\USER_NAME\.aws\credentials

It's clear from this documentation that the shared credentials file is not in the project root.
Does this resolve your query?

[wmelton]

@trivikr we haven't been able to test this yet, but I'm assuming this is the issue. Implementation oversight on our part. Thanks!

[github-actions]

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.