Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

With sso-session config "Required key: :secret_access_key must be a string, but instead is..." #951

Closed
chrismo opened this issue May 26, 2023 · 7 comments · Fixed by #1080

Comments

@chrismo
Copy link

chrismo commented May 26, 2023

Environment

  • Elixir & Erlang versions (elixir --version):
Erlang/OTP 25 [erts-13.1.3] [source] [64-bit] [smp:10:10] [ds:10:10:10] [async-threads:1] [jit]
Elixir 1.14.2 (compiled with Erlang/OTP 25)
  • ExAws version mix deps |grep ex_aws
* ex_aws 2.4.2 (Hex package) (mix)
  locked at 2.4.2 (ex_aws) 0a2c07bd
* ex_aws_s3 2.4.0 (Hex package) (mix)
  locked at 2.4.0 (ex_aws_s3) 85dda6e2
  • HTTP client version. IE for hackney do mix deps | grep hackney
* hackney 1.18.1 (Hex package) (rebar3)
  locked at 1.18.1 (hackney) a4ecdaff

Current behavior

Using the newer sso-session config which supports automatic token refresh.

~/.aws/config

[profile dev]
sso_session = dscout
sso_account_id = xxxxxxxx
sso_role_name = StuffAccess
region = us-east-2
output = json

[sso-session dscout]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-2
sso_registration_scopes = sso:account:access

runtime.exs

config :ex_aws,
  access_key_id: [
    {:system, "AWS_ACCESS_KEY_ID"},
    {:awscli, System.get_env("AWS_PROFILE", "dev"), 30},
    :instance_role
  ],
  secret_access_key: [
    {:system, "AWS_SECRET_ACCESS_KEY"},
    {:awscli, System.get_env("AWS_PROFILE", "dev"), 30},
    :instance_role
  ]

iex

iex(3)> ...
iex(4)> ExAws.request(ExAws.S3.head_object(bucket, key))
{:error,
 "Required key: :secret_access_key must be a string, but instead is [{:system, \"AWS_SECRET_ACCESS_KEY\"}, {:awscli, \"dev\", 30}, :instance_role]"}

Expected behavior

Expected behavior is that the request would succeed. If the configuration changes back to the legacy config, then the request works.

~/.aws/config

[profile dev]
sso_start_url = https://xxxxxxxxx.awsapps.com/start#/
sso_region = us-east-2
sso_account_id = xxxxxxxx
sso_role_name = StuffAccess
region = us-east-2
output = json

iex

iex(5)> ExAws.request(ExAws.S3.head_object(bucket, key))
{:ok, ...
@chrismo
Copy link
Author

chrismo commented May 26, 2023

fwiw, terraform has a similar limitation: hashicorp/terraform-provider-aws#28263

@bernardd
Copy link
Contributor

bernardd commented Jun 9, 2023

Okay, took me a while to pin down, because that's a super misleading error message (and I'm just adding some code to improve it now). But yes, the upshot is that nobody has written code to support that style of auth config. PRs welcome :)

Thanks for the detailed report.

@bernardd
Copy link
Contributor

bernardd commented Jun 9, 2023

Incidentally, if you're looking to add support, the place to do it is lib/ex_aws/credentials_ini/file.ex :)

@ymtszw

This comment was marked as outdated.

@ymtszw
Copy link

ymtszw commented Oct 11, 2023

Ah my previous comment was somewhat off. As @chrismo wrote,

Using the newer sso-session config which supports automatic token refresh.

Expected behavior is that the request would succeed. If the configuration changes back to the legacy config, then the request works.

So I can confirm that the problem is, ex_aws's awscli config provider not yet supporting newer aws sso config structure (sso-session).

@ymtszw
Copy link

ymtszw commented Oct 11, 2023

For the time being, I'm going to revert my sso config to legacy structure as a workaround.

@adamcstephens
Copy link
Contributor

I think this issue will be fixed by #1080

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants