SSMClient unable to fetch secrets while running in Next.js middleware

[fs24-chrter]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

I experienced an issue that AWS credentials could not be resolved by code that is running in a Next.js middleware.
The same code is running fine if it is executed in a normal Next.js page.

SDK version number

@aws-sdk/client-ssm@3.583.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Nextjs 14.2.3

Reproduction Steps

See reproducible isolated issue here: https://github.com/fs24-chrter/AWS-ssmclient-nextjs-issue

Observed Behavior

Middleware code is not able to fetch AWS credentials and its config resolves to a Browser config. Error message shown: Credential is missing.

Normal page code is able to fetch AWS credentials and its config resolves to Node config.

Expected Behavior

I would expect that also the code running in the middleware is able to fetch AWS credentials. Since this code is executed on the server side and should have the same privileges as a normal Next.js page.

Possible Solution

It looks like the constructor of SSMClient resolves to a runtimeConfig that is of type Browser in the middleware and therefore is not able to fetch policies from ECS task role.
The same code resolves to runtimeConfig of type Node if running in normal Next.js page. Here the code is able to fetch the policies from ECS task role.

It do not understand yet why code in the middleware thinks it's running in a Browser.

Additional Information/Context

No response

[aBurmeseDev]

Hi @fs24-chrter - thanks for reaching out and sorry to hear you're running into an error.

Before I attempt to reproduce it, can you share repro steps specific to SDK as far as how you configured the credentials and share the error logs as well? I want you to rule out everything else and simply make SDK SSMClient call with GetParametersByPathCommand and we can further investigate.

[fs24-chrter]

Hi @fs24-chrter - thanks for reaching out and sorry to hear you're running into an error.

Before I attempt to reproduce it, can you share repro steps specific to SDK as far as how you configured the credentials and share the error logs as well? I want you to rule out everything else and simply make SDK SSMClient call with GetParametersByPathCommand and we can further investigate.

Hi @aBurmeseDev,

sure, the most simple way to reproduce is to follow the link to the Github Repo that I've provided in the description. You will find a Docker image there. If you build this and push to ECR, you can run this as is in ECS. I've documented everything in the repository but happy to replicate it also directly here.

Reproduction

Reproducable code that shows the issue:

async function getParametersWithTryCatch(uuid: string, source: string) {
  let ssmClient: SSMClient;

  try {
    ssmClient = new SSMClient({ region: 'eu-central-1' });

    // This should NOT resolve to browser config since we're running on the server side
    console.log(`${uuid} [${source}] Resolved config in client: ${ssmClient.config.runtime}`)
  }
  catch(error) {
    console.log(`${uuid} [${source}] Could not create SSMClient. ${JSON.stringify(error)}`);
    return;
  }

  try {
    const credentials = await ssmClient.config.credentials();
    console.log(`${uuid} [${source}] Config credentials. Credentials: ${JSON.stringify(credentials)}`);
  }
  catch(error) {
    console.log(`${uuid} [${source}] Could not log config credentials. ${JSON.stringify(error)}`);
    return;
  }

  try {
    const cmd = new GetParametersByPathCommand({
      Path: '/INT/common',
      Recursive: true,
      WithDecryption: true,
    });
  
    const resp = await ssmClient.send(cmd);
    console.log(`${uuid} [${source}] Got response. Response: ${JSON.stringify(resp)}`);
  }
  catch(error) {
    console.log(`${uuid} [${source}] Could not get parameters by path. ${JSON.stringify(error)}`)
  }
}

The code above fails only if it runs in the middleware. Then the error message is Credential is missing.

If the code runs anywhere else, it runs just fine.

Credentials configuration

Credentials should be fetched via task role. For this to work, you need to configure task role e.g. with this inline policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:eu-central-1:<redacted>:secret:<redacted>",
            "Effect": "Allow"
        },
        {
            "Action": "ssm:GetParametersByPath",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Let me know if you need something else.

[kunalhexus]

Seeing the same issue for dynamodb client.