Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credentials object returned from sts.assumeRole cannot be used as credentials for clients #3940

Open
3 tasks done
jonpbbc opened this issue Sep 13, 2022 · 5 comments
Open
3 tasks done

Credentials object returned from sts.assumeRole cannot be used as credentials for clients #3940

jonpbbc opened this issue Sep 13, 2022 · 5 comments
Assignees
@RanVaknin
Labels
feature-request New feature or enhancement. May require GitHub community feedback. p2 This is a standard priority issue queued This issues is on the AWS team's backlog workaround-available This issue has a work around available.

Comments

@jonpbbc
Copy link

jonpbbc commented Sep 13, 2022
edited by RanVaknin

Checkboxes for prior research

Describe the bug

If you use sts.assumeRole to get session credentials for an assumed role and then pass those credentials to a client the case mis-match means you recieve the TypeError: Cannot read property 'byteLength' of undef described in #2282

This doesn't feel like a documentation error as in #3268, as I am trying to use SDK objects to populate SDK objects.

SDK version number

"@aws-sdk/client-iam": "^3.154.0", "@aws-sdk/client-sts": "^3.168.0"

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node 14 via aws/codebuild/standard:5.0

Reproduction Steps

      const sts = new STS()
      const assumeRoleResponse = await sts.assumeRole({ "RoleArn": `arn:aws:iam::${accountId}:role/${roleName}`, "RoleSessionName": sessionName" })
      const iam = new IAM({ credentials: assumeRoleResponse.Credentials})
      const response = await iam.listPolicies({ "Scope": "AWS, "MaxItems": 1 })

Observed Behavior

TypeError: Cannot read property 'byteLength' of undefined as per #2282

Expected Behavior

I would expect to be able to use the returned Credentials object as the credentials for constructing a subsequent client object.

Possible Solution

No response

Additional Information/Context

Work-around to avoid error:

      const sts = new STS()
      const assumeRoleResponse = await sts.assumeRole({ "RoleArn": `arn:aws:iam::${accountId}:role/${roleName}`, "RoleSessionName": sessionName" })
      const iam = new IAM({ credentials: {
        accessKeyId: assumeRoleResponse.Credentials.AccessKeyId,
        secretAccessKey: assumeRoleResponse.Credentials.SecretAccessKey,
        sessionToken: assumeRoleResponse.Credentials.SessionToken
       }})
      const response = await iam.listPolicies({ "Scope": "AWS, "MaxItems": 1 })
@jonpbbc jonpbbc added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 13, 2022
@RanVaknin RanVaknin self-assigned this Sep 14, 2022
@RanVaknin
Copy link
Contributor

RanVaknin commented Sep 14, 2022
edited

Hi @jonpbbc ,

Thanks for opening the issue and engaging in the community.

I think the reason your first code snippet isn't working as expected is because Client credentials and the Credential object returned from STS are of different type.

Type 'Credentials | undefined' is not assignable to type 'Credentials | Provider | undefined'.
Type 'Credentials' is not assignable to type 'Credentials | Provider | undefined'.ts(2322)

I'd say the "work around" is the correct way to make that request. Did you reference an official example or docs for the first code snippet you have provided?

All the best,
Ran~

@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 14, 2022
@jonpbbc
Copy link
Author

jonpbbc commented Sep 15, 2022

Hi @RanVaknin ,

I was working from the documentation, specifically the IAM client config as part of calling the IAM constructor. That references this Credentials interface and when I saw the assume role output contains a object of type Credentials I have absolutely believed that Credentials and Credentials are the same type.

If Credentials is not supposed to be the same type as Credentials then I would say that the duplicate naming is the root of this issue - but given the purpose of both Credentials types is to return or supply the same logical data, with the same names, I completely it expect it to be compatible within the same overall API. If they are not supposed to be compatible, I propose the renaming of the types so Credentials is not confused with Credentials - but as a user of the API I would much rather they be made compatible.

My route to the work around was searching for the TypeError in relation to the SDK and finding #2282 - not really an intuitive path.

Hope that helps,

Jon

@RanVaknin
Copy link
Contributor

RanVaknin commented Sep 15, 2022
edited

Hi Jon,

Thanks for your response! I totally see what you are saying and it makes a lot of sense. I'll speak with the development team regarding this issue and will raise a backlog item.

In the spirit of transparency I'll share that the team is slammed, and since this has a workaround it will get lower priority, but will get addressed later on.

Thanks again for being an active member in the community, we hope to hear back from you!
All the best,
Ran~

@RanVaknin RanVaknin added needs-review This issue/pr needs review from an internal developer. p2 This is a standard priority issue and removed response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. labels Sep 15, 2022
@RanVaknin RanVaknin added p2 This is a standard priority issue and removed p2 This is a standard priority issue labels Mar 31, 2023
@yenfryherrerafeliz yenfryherrerafeliz added workaround-available This issue has a work around available. p3 This is a minor priority issue p2 This is a standard priority issue feature-request New feature or enhancement. May require GitHub community feedback. and removed p2 This is a standard priority issue p3 This is a minor priority issue bug This issue is a bug. labels Apr 11, 2023
@yenfryherrerafeliz yenfryherrerafeliz added queued This issues is on the AWS team's backlog and removed needs-review This issue/pr needs review from an internal developer. labels May 3, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented May 3, 2024

Greetings! We’re closing this issue because it has been open a long time and hasn’t been updated in a while and may not be getting the attention it deserves. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to comment or open a new issue.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label May 3, 2024
@jonpbbc
Copy link
Author

jonpbbc commented May 3, 2024
edited

The behaviour has changed slightly, but use of a returned credentials object as an input credentials object to the next call still fails:

  • Node v20.12.2
  • "@aws-sdk/client-iam": "^3.568.0",
  • "@aws-sdk/client-sts": "^3.568.0"

Script:

const { IAM } = require("@aws-sdk/client-iam");
const { STS } = require("@aws-sdk/client-sts");
     

async function demoWorkAround(accountId, roleName, sessionName) { 
      const sts = new STS();
      const assumeRoleResponse = await sts.assumeRole({ "RoleArn": `arn:aws:iam::${accountId}:role/${roleName}`, "RoleSessionName": sessionName });
      const iam = new IAM({ credentials: {
        accessKeyId: assumeRoleResponse.Credentials.AccessKeyId,
        secretAccessKey: assumeRoleResponse.Credentials.SecretAccessKey,
        sessionToken: assumeRoleResponse.Credentials.SessionToken
       }})
      console.log("Error NOT caused here:");
      const response = await iam.listPolicies({ "Scope": "AWS", "MaxItems": 1 });
      console.log("Success");
}

async function demoIssue(accountId, roleName, sessionName) { 
      const sts = new STS();
      const assumeRoleResponse = await sts.assumeRole({ "RoleArn": `arn:aws:iam::${accountId}:role/${roleName}`, "RoleSessionName": sessionName });
      const iam = new IAM({ credentials: assumeRoleResponse.Credentials});
      console.log("Error caused here:");
      const response = await iam.listPolicies({ "Scope": "AWS", "MaxItems": 1 });
      console.log("This line is never reached");
}


const acc = '123456789012';
const role = 'my-role';
const sess = 'my-session';

demoWorkAround(acc, role, sess).then(() => {
	demoIssue(acc, role, sess).then(() => console.log("done"));
});

Script output:

Error NOT caused here:
Success
Error caused here:
/path/to/node_modules/@smithy/signature-v4/dist-cjs/index.js:562
      throw new Error("Resolved credential object is not valid");
            ^

Error: Resolved credential object is not valid
    at _SignatureV4.validateResolvedCredentials (/path/to/node_modules/@smithy/signature-v4/dist-cjs/index.js:562:13)
    at _SignatureV4.signRequest (/path/to/node_modules/@smithy/signature-v4/dist-cjs/index.js:487:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  '$metadata': { attempts: 1, totalRetryDelay: 0 }
}

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label May 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RanVaknin RanVaknin

Labels
feature-request New feature or enhancement. May require GitHub community feedback. p2 This is a standard priority issue queued This issues is on the AWS team's backlog workaround-available This issue has a work around available.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonpbbc @yenfryherrerafeliz @RanVaknin