Unable to connect to ledger error

[normand1]

Describe the bug
I'm just trying to start the qldb shell with an existing ledger that I can see from the aws console does exist on my account.
I receive the following error messages when running $ qldb.

...
usage error: Unable to connect to ledger `my-example-ledger`.
...
The following error may have more information: failed to construct request: No credentials in the property bag

To Reproduce
Steps to reproduce the behavior:

1. Login to my aws cli using aws sso login
2. run qldb to start the qldb shell
3. See error

Expected behavior
I expect the qldb shell to start

Screenshots
N/A

Desktop (please complete the following information):

• OS: MacOS

Additional context
I'm able to view the ledge when running aws qldb list-ledgers

[normand1]

I was able to resolve my issue, but it looks like there could be a bug with parsing credentials from the default location on MacOS.

I tried directly linking to my credentials file by running qldb --config ~/.aws/credentials
But I received this error:

usage error: unable to load config at /Users/davidnorman/.aws/credentials: IonCError { code: 23, message: "IERR_INVALID_TOKEN_CHAR", additional: "iERR Result", position: OffsetLineColumn(15, LineColumn(1, 14)) }

This was using a credentials file that I directly copied from the SSO Account Selection page from the "Command line or programmatic access" modal pop up that list temporary credentials in a few formats.

Next I tried one of the other options on the modal to export my credentials as Environment variables:
"Option 1: Set AWS environment variables". Using this option I am able to get qldb shell access successfully, but should I be able to use my credentials file as well?

[battesonb]

Thanks for raising this issue. The general format of config under the ~/.aws/credentials file is as follows:

[default]
aws_access_key_id=<YOUR_AWS_ACCESS_KEY>
aws_secret_access_key=<YOUR_AWS_SECRET_ACCESS_KEY>
aws_session_token=<YOUR_AWS_SESSION_TOKEN>

A closed issue for the AWS CLI has some discussion regarding the SSO login not conforming to the standard: aws/aws-cli#4982.

The QLDB CLI's --config parameter is for some QLDB-specific Ion config and not the credentials. The issue linked above describes some workarounds. One option includes the use of the credential_process property in the ~/.aws/config file. In this case, you can use the qldb --profile <PROFILE_NAME> approach or set it as the default to avoid the --profile parameter. However, the latest QLDB shell build in Homebrew does not ship with support for the credential_process property (Comes with aws-config v0.43.0). You can temporarily track against the main branch if you opt for that route.

I'll leave this issue open to track a patch version release with updated dependencies from our side.

[normand1]

Ah, I see that makes a lot of sense. Thank you for the detailed response. That will work for my purposes for now. Thanks!

[rbcaixeta]

Considering the mentioned issue on aws-cli is closed and on that thread they clearly doesn't acknowledge they have a problem. Is this going to be fixed on qldb-shell?

[battesonb]

Hi @rbcaixeta

We have just released v2.0.2 of the shell which adds support for the credential_process property. There is a newer open issue on the AWS CLI repository which is seeing some recent activity for customizing how credentials are exported: aws/aws-cli#5261.

You should alternatively be able to setup an SSO profile following the example in these docs:

[profile sso-login]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly

and then run the shell with:

qldb --profile sso-login