Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support credential_source for use with IAM roles #1916

Closed
hlarsen opened this issue Feb 6, 2018 · 19 comments
Closed

Support credential_source for use with IAM roles #1916

hlarsen opened this issue Feb 6, 2018 · 19 comments
Labels
feature-request A feature should be added or improved.

Comments

@hlarsen
Copy link

hlarsen commented Feb 6, 2018

It appears the js sdk doesn't support using credential_source to specify credentials from an EC2 instance role - this works with awscli and the ruby sdk. I'd love support for this, or a pointer to where I missed it if that's the case.

https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
@chrisradek chrisradek added the feature-request A feature should be added or improved. label Feb 6, 2018
@chrisradek
Copy link
Contributor

@hlarsen
credential_source is not currently supported in the JS SDK. I'll mark this as a feature request; thanks for the feedback!

This was referenced Oct 18, 2018
Closed
Closed
@glb
Copy link

glb commented Oct 18, 2018

@chrisradek any updates? This would be super-helpful resolving the referenced serverless deploy issues!

@bweigel bweigel mentioned this issue Jan 12, 2019
Closed
@bweigel
Copy link

bweigel commented Jan 13, 2019

Is there any effort going on towards this feature? I'd like to give it a try and would be more than happy for any hints and things to watch out for. I assume the shared_ini_file_credentials.js would be the place to start and implement this?

@eladb eladb mentioned this issue Jan 16, 2019
Closed
@mi5guided
Copy link

if it helps, I, too am looking for this feature. Migrated my code from laptop to ec2, just to find this missing. Would REALLY be sad if I had to rewrite everything in Python.

@AllanZhengYP
Copy link
Contributor

Hey @mi5guided Have you tried to use the ChainableTemporaryCredentials? I think you can use EC2MetadataCredentials as the master credentials here and specify the roleArn you'd like to assume.

@mi5guided
Copy link

THANK YOU @AllanFly120 ! Awesome work-around, that I can use quickly. I guess I can stop trying to port the functionality from boto3 to aws-sdk-js (especially since 3.0 is in preview).

Thanks, again!

@hojatbay
Copy link

Has this issue been fixed or any efforts toward fixing it?

@bweigel
Copy link

bweigel commented Jan 28, 2019

@hojatbay every once in a while I have some time and look at it a little. Have something running locally, but nothing in the extend of a PR so far.

@ragne ragne mentioned this issue Feb 13, 2019
Closed
@atz
Copy link

atz commented Apr 30, 2019

I've personally lost days due to lack of this feature.

@jkaldon-rebellabs
Copy link

This missing feature is really painful. Is there any progress update?

@Nessworthy Nessworthy mentioned this issue Jul 18, 2019
Open
@haidaraM
Copy link

haidaraM commented Oct 14, 2019
edited
Loading

Looks like this comment fixes the issue serverless/serverless#3833 (comment):
export AWS_SDK_LOAD_CONFIG=1

mvaldesdeleon added a commit to mvaldesdeleon/aws-sdk-js that referenced this issue Dec 10, 2019
@mvaldesdeleon
feat: adds support for credentials_source
03dbda5 
Closes aws#1916
Closes aws#2071
mvaldesdeleon added a commit to mvaldesdeleon/aws-sdk-js that referenced this issue Dec 12, 2019
@mvaldesdeleon
feat: adds support for credential_source
49e495a 
Closes aws#1916
Closes aws#2071
@mvaldesdeleon mvaldesdeleon mentioned this issue Dec 12, 2019
Closed
2 tasks
@pauloapi
Copy link

pauloapi commented Feb 4, 2020

after exporting AWS_SDK_LOAD_CONFIG=1, below is the new error. My stackoverflow: https://stackoverflow.com/questions/60049779/ec2-ecs-cross-account-serverless-deploy

Error --------------------------------------------------

Error: ENOENT: no such file or directory, open '/home/ec2-user/.aws/credentials'
    at Object.openSync (fs.js:443:3)
    at Object.readFileSync (fs.js:343:35)
    at Object.readFileSync (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/util.js:95:26)
    at IniLoader.parseFile (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:6:47)
    at IniLoader.loadFrom (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Config.region (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/node_loader.js:100:36)
    at Config.set (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/config.js:507:39)
    at Config.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/config.js:342:12)
    at Config.each (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/util.js:507:32)
    at new Config (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/config.js:341:19)
    at Object.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/node_loader.js:110:14)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18)
    at Object.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/aws.js:1:1)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18)
    at Object.<anonymous> (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:3:13)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18)
    at Object.<anonymous> (/usr/lib/node_modules/serverless/lib/plugins/index.js:24:3)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18)
    at PluginManager.loadAllPlugins (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:110:10)
    at pluginManager.loadConfigFile.then.then (/usr/lib/node_modules/serverless/lib/Serverless.js:96:35)
From previous event:
    at Serverless.init (/usr/lib/node_modules/serverless/lib/Serverless.js:94:8)
    at initializeErrorReporter.then (/usr/lib/node_modules/serverless/bin/serverless.js:74:8)
    at runCallback (timers.js:705:18)
    at tryOnImmediate (timers.js:676:5)
    at processImmediate (timers.js:658:5)
    at process.topLevelDomainCallback (domain.js:126:23)
From previous event:
    at Object.<anonymous> (/usr/lib/node_modules/serverless/bin/serverless.js:64:4)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
    at startup (internal/bootstrap/node.js:283:19)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3)

Get Support --------------------------------------------
    Docs:          docs.serverless.com
    Bugs:          github.com/serverless/serverless/issues
    Issues:        forum.serverless.com

Your Environment Information ---------------------------
    Operating System:          linux
    Node Version:              10.18.1
    Framework Version:         1.62.0
    Plugin Version:            3.3.0
    SDK Version:               2.3.0
    Components Core Version:   1.1.2
    Components CLI Version:    1.4.0

@rpurdon-nf
Copy link

Feedback on when we might expect this functionality?

@ryudice
Copy link

ryudice commented Jun 18, 2020

It's a bit concerning that AWS itself doesn't take this feature seriously. Having this feature work is a must for good security as all of the workarounds involve access to the access keys somewhere. Is it really that hard to implement this given that it's already part of the AWS CLI?

@pcleddy
Copy link

pcleddy commented Jul 10, 2020

Hello, also an issue for me, need to assume roles from the environment, any progress?

@ajredniwja
Copy link
Contributor

Can you try the ChainableTemporaryCredentials as mentioned above by Allan as a workaround.

@davidsmith-accesso
Copy link

I dont like the ChainableTemporaryCredentials solution because if have to specify the RoleARN then you have to hardcode the account id or have it in a mapping, since that's a part of the ARN

@iliapolo iliapolo mentioned this issue Sep 9, 2020
Merged
mergify bot pushed a commit to aws/aws-cdk that referenced this issue Sep 10, 2020
@iliapolo
feat(cli): support credential_source in aws shared config file (#10272)
940a443 
Added support for using `credential_source` in the standard aws config file.

This wasn't previously supported because the JavaScript SDK does [not](aws/aws-sdk-js#1916) support it. 

This PR bypasses the limitation.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@Firefishy Firefishy mentioned this issue Mar 16, 2021
Closed
@justinmk3 justinmk3 mentioned this issue May 7, 2021
Closed
@AllanZhengYP
Copy link
Contributor

Hi everyone,

Thank you for requesting this feature. The V2 SDK indeed does not support credential source. However, V3 SDK is providing this support now: this feature is supported in V3 SDK now: https://github.com/aws/aws-sdk-js-v3/tree/main/packages/credential-providers#profile-with-source-provider.

So far we don't have plan to backport this feature to V2.

@ajredniwja
Copy link
Contributor

As @AllanZhengYP mentioned this feature is a part of V3 now. I would close this issue now.

Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: adds support for credential_source mvaldesdeleon/aws-sdk-js