Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SDK clients not assuming the role configured in the credentials file #6189

Open
3 tasks done
ghassen-chetioui opened this issue Jun 12, 2024 · 3 comments
Open
3 tasks done

SDK clients not assuming the role configured in the credentials file #6189

ghassen-chetioui opened this issue Jun 12, 2024 · 3 comments
Assignees
@aBurmeseDev
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@ghassen-chetioui
Copy link

Checkboxes for prior research

Describe the bug

Our ECS containers are deployed in an account A and we are setting the following credentials file to allow the sdk clients access resources in another account B.

[crossaccount]
role_arn = ***** (arn of the role in account B)
credential_source = EcsContainer

Everything works fine until at some point, the sdk clients start assuming the role of the ECS container instead of the one configured in the credential files.
image

All the clients are singletons created on the application bootstrap and using the default configuration. This may seem as a problem happening on the session expiration/renew but it is really hard to prove. We encountered this issue few times now with the lambda client and the event bridge client.

SDK version number

@aws-sdk/credential-provider-node@3.565.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.12.2

Reproduction Steps

The issue is not reproducible with code

Observed Behavior

SDK clients assuming the role of the ECS container.

Expected Behavior

SDK clients assuming the role configured in the credentials file.

Possible Solution

No response

Additional Information/Context

No response
@ghassen-chetioui ghassen-chetioui added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 12, 2024
@aBurmeseDev aBurmeseDev self-assigned this Jun 14, 2024
@aBurmeseDev
Copy link
Member

HI @ghassen-chetioui - thanks for reaching out.

Based off the error, it sounds like you might be missing permission to assume cross-account resource-based policy in Lambda. Here's docs page on how to grant permission to cross account and here's another docs page on working with resource-based policies in Lambda.

Hope it helps but if issue persists, please let me know.

@aBurmeseDev aBurmeseDev added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jun 17, 2024
@stevehouel
Copy link

Hi,

Permissions have been settled correctly as in 99% of the case it's working correctly but after some time (not fix) the lambda function is loosing those permissions and we started getting those permission denied error. After some time, everything come back and is working correctly. during this in-between we are unable to consume underlying services due to those permissions denied errors.

Maybe a bad lock during credentials renewable between ECS Containers and SDK AssumeRole?

@aBurmeseDev
Copy link
Member

Appreciate you for getting back. It sounds like this occurs intermittently. We would need minimal repro code and error logs that would give us more insight on finding the root cause.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aBurmeseDev aBurmeseDev

Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevehouel @ghassen-chetioui @aBurmeseDev