Invalid Profile with EC2InstanceMetadata

[Chainbreaker1]

Hi,

im trying to get awsume to work on a ec2 machine. This machine has a assigned Role from which I would like to switch to other roles. In the aws cli everything work with the --profile argument, but awsume logs "AWSume error: Invalid profile"

My profile looks like:
[profile int]
role_arn = arn:aws:iam::1234567890:role/SomeOtherRole
credential_source = Ec2InstanceMetadata
output = json
region = eu-central-1

So there is no AccessKey in the profile, because the ec2 Instance profile should be the source of aws access management.

Am I missing something, or is this a bug/missing feature?

[kirnberger1980]

it would be nice to have this feature for me as well.

[goyertp]

Need this Feature really hard!

[mbarneyjr]

Howdy!

Thanks for bringing this issue to our attention

This issue should be resolved with 4.2.5, feel free to re-open if you have other issues

[Chainbreaker1]

Hi mbarneyjr,

ty for your quick reply. Sadly the changes did not do the trick:

configuration:

[default]
credential_source = Ec2InstanceMetadata
region = eu-central-1
output = json

[profile int]
role_arn = arn:aws:iam::1234567890:role/SomeOtherRole
credential_source = Ec2InstanceMetadata
output = json
region = eu-central-1

awsume -v
4.2.5
awsume -l
Listing...

======================AWS Profiles=====================
PROFILE  TYPE  SOURCE  MFA?  REGION        ACCOUNT
default  User  None    No    eu-central-1  Unavailable
int      Role  None    No    eu-central-1  123456789

awsume int
Awsume error: Invalid profile None Missing keys aws_access_key_id, aws_secret_access_key

[mbarneyjr]

Hmmm, something must be wrong with your installation.

If you build a docker image from this dockerfile and run awsume int, you should see the error "unable to locate credentials"

FROM python:latest

RUN pip install awsume

RUN mkdir ~/.aws
RUN echo "[profile int]" >> ~/.aws/config
RUN echo "role_arn = arn:aws:iam::1234567890:role/SomeOtherRole" >> ~/.aws/config
RUN echo "credential_source = Ec2InstanceMetadata" >> ~/.aws/config
RUN echo "output = json" >> ~/.aws/config
RUN echo "region = eu-central-1" >> ~/.aws/config

[Chainbreaker1]

I got it to work with the int profile. The problem was the default profile which has no role. You can reproduce it when you remove the role_arn line in the int profile. The intention here was to not do a role switch but use the currently assigned role.
This works with the aws cli, so it might be a bug in awsume.

[mbarneyjr]

Awsume is going to delegate to the awscli or sdks when Environment, EcsContainer, or Ec2InstanceMetadata is in a role profile, since all of the implementation to read from those things is available in the cli or sdks.

If you aren't trying to awsume a role with the Ec2InstanceMetadata, then any awscli calls you make with or without --profile int will use the same credentials (assuming you haven't set your aws environment variables to something else, see the configuration precedence section in this doc). With that being the case, awsume int wouldn't change anything (except for maybe the AWS_PROFILE_NAME variable, but using the cli/sdk would function the same without that, regardless I'll mark this down as a bug to fix since it's a valid profile to the awscli)

[mbarneyjr]

I've pushed a pre-release that should resolve this issue. Try installing awsume==4.2.7a1 and let me know if you're still experiencing issues

[mbarneyjr]

Deploying to awsume==4.2.7, feel free to open if you still have issues!