-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for paws.common credential mechanisms #122
Comments
Hi @davidski, The current implementation of When building the config list for
The function noctua:::cred_set(aws_access_key_id = NULL,
aws_secret_access_key = NULL,
aws_session_token = NULL,
profile_name = NULL,
region_name = NULL)
# returns
list()
noctua:::cred_set(aws_access_key_id = NULL,
aws_secret_access_key = NULL,
aws_session_token = NULL,
profile_name = "made-up",
region_name = NULL)
# returns
$credentials
$credentials$profile
[1] "made-up" Changing the # .aws/config
[profile made_up]
region = eu-west-1
output = json
# R: noctua
library(DBI)
con <- dbConnect(noctua::athena(), profile_name = "made_up")
dbGetInfo(con)
$profile_name
[1] "made_up"
$s3_staging
[1] ########
$dbms.name
[1] "default"
$work_group
[1] "primary"
$poll_interval
NULL
$encryption_option
NULL
$kms_key
NULL
$expiration
NULL
$keyboard_interrupt
[1] TRUE
$region_name
[1] "eu-west-1"
$paws
[1] "0.1.9"
$noctua
[1] "1.9.1" # .aws/config change:
[profile made_up]
region = eu-west-2
output = json
# R: noctua
library(DBI)
con <- dbConnect(noctua::athena(), profile_name = "made_up")
dbGetInfo(con)
$profile_name
[1] "made_up"
$s3_staging
[1] ######
$dbms.name
[1] "default"
$work_group
[1] "primary"
$poll_interval
NULL
$encryption_option
NULL
$kms_key
NULL
$expiration
NULL
$keyboard_interrupt
[1] TRUE
$region_name
[1] "eu-west-2"
$paws
[1] "0.1.9"
$noctua
[1] "1.9.1" Please check #90 for any extra information. Please let me know if I haven't been able to answer your question 😄 |
Thanks for the quick response! This is a complicated workflow to explain and I appreciate the patience. I do get different behavior with
[profile base]
region = us-east-2
credential_process = aws-vault exec --json base --prompt=osascript
[profile child-profile]
source_profile = base
include_profile = base
role_arn = arn:aws:iam::XXXX/XXXX The following works under athena <- paws::athena(config = list(credentials=list(profile="child-profile"), region = "us-east-2"))
athena$list_work_groups() The following fails under library(DBI)
con <- dbConnect(noctua::athena(),
profile_name = "child-profile",
region = "us-east-2",
s3_staging_dir = 's3://XXX') |
Hi @davidski, From my testing I get the following error: From > library(DBI)
>
> con <- dbConnect(noctua::athena(), profile_name ="child-profile", region = "eu-west-1")
Error in f() : No credentials provided
>
> athena <- paws::athena(config = list(credentials=list(profile="child-profile"), region = "eu-west-1"))
> athena$list_work_groups()
Error in f() : No credentials provided Ignore above i had the wrong profile linked |
Update: This is very confusing. When I updated my
> library(DBI)
>
> con <- dbConnect(noctua::athena(), profile_name ="child-profile", region = "eu-west-1")
>
> athena <- paws::athena(config = list(credentials=list(profile="child-profile"), region = "eu-west-1"))
> athena$list_work_groups()
$WorkGroups
$WorkGroups[[1]]
$WorkGroups[[1]]$Name
[1] "primary"
$WorkGroups[[1]]$State
[1] "ENABLED"
$WorkGroups[[1]]$Description
[1] ""
$WorkGroups[[1]]$CreationTime
[1] "2019-08-22 15:14:47 GMT"
$NextToken
character(0)
> dbGetQuery(con, "select * from iris")
Info: (Data scanned: 3.63 KB)
sepal_length sepal_width petal_length petal_width species
1: 5.1 3.5 1.4 0.2 setosa
2: 4.9 3.0 1.4 0.2 setosa
3: 4.7 3.2 1.3 0.2 setosa
4: 4.6 3.1 1.5 0.2 setosa
5: 5.0 3.6 1.4 0.2 setosa
---
146: 6.7 3.0 5.2 2.3 virginica
147: 6.3 2.5 5.0 1.9 virginica
148: 6.5 3.0 5.2 2.0 virginica
149: 6.2 3.4 5.4 2.3 virginica
150: 5.9 3.0 5.1 1.8 virginica I will try to see if it works when I point it to a staging profile |
When I created a staging profile (demo_profile)
> library(DBI)
>
> con <- dbConnect(noctua::athena(), profile_name ="child-profile", region = "eu-west-1")
> athena <- paws::athena(config = list(credentials=list(profile="child-profile"), region = "eu-west-1"))
> athena$list_work_groups()
$WorkGroups
$WorkGroups[[1]]
$WorkGroups[[1]]$Name
[1] "primary"
$WorkGroups[[1]]$State
[1] "ENABLED"
$WorkGroups[[1]]$Description
[1] ""
$WorkGroups[[1]]$CreationTime
[1] "2019-08-22 15:14:47 GMT"
$NextToken
character(0)
> dbGetQuery(con, "select * from iris")
Info: (Data scanned: 3.63 KB)
sepal_length sepal_width petal_length petal_width species
1: 5.1 3.5 1.4 0.2 setosa
2: 4.9 3.0 1.4 0.2 setosa
3: 4.7 3.2 1.3 0.2 setosa
4: 4.6 3.1 1.5 0.2 setosa
5: 5.0 3.6 1.4 0.2 setosa
---
146: 6.7 3.0 5.2 2.3 virginica
147: 6.3 2.5 5.0 1.9 virginica
148: 6.5 3.0 5.2 2.0 virginica
149: 6.2 3.4 5.4 2.3 virginica
150: 5.9 3.0 5.1 1.8 virginica |
Do you perhaps have an EDIT: corrected the profile name to match yours |
Thanks @davidski for bring aws-vault to my attention it looks pretty awesome. From my testing,
|
Awesome that it's working for you! Now I have to figure out what's different in my environment. |
Oh my giddy.... Somewhere in my testing I fat fingered a profile name in my live configuration. With that fixed, everything works seamlessly. While I'm delighted that works, I'm very sorry to take up so much of your time for user error. I'll blame the US Thanksgiving holiday. 😉 Thanks again for the package and all the support. Really looking forward to putting this through it's paces! |
@davidski no worries I am glad it's working for you. Plus I am happy you pointed me in the direction of |
Thanks for the very nifty package!
paws.common
recently added support forcredential_process
in .aws/config files, allowing role assumption, nested profiles, and external credentials all to work seamlessly together. It looks likenoctua
constructs the config object itself rather than relying on paws, though I'm not clear on the full object model of paws. Is it practical for noctua to hand off all authentication work to paws, allowing a user to take advantage of this greatly improved credential process?The text was updated successfully, but these errors were encountered: