moto setting AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY on import #2058
Comments
|
Just curious: what's your use-case where you import |
|
IIRC we have a secretTool which connects to dynamodb to retrieve secrets. I need to get the secret as I just want to mock S3 and not an API call which requires a secret. |
|
another instance: I need to connect to our secret store to retrieve a SSL cert required to mock a SSL server. |
|
Hmm yeah, I worried that edge case might happen.. is there a chance you can restructure your code to separate the imports? Or include a |
|
ya I have a work-around for now, but ideally this should not be done on import |
|
This might also bite you in other case. Assume you have a project with unit and integration tests. For unit tests you want to mock everything outside of your code so you use moto. Now if you use
You'll end up with running integration tests with moto populated: os.environ.setdefault("AWS_ACCESS_KEY_ID", "foobar_key")
os.environ.setdefault("AWS_SECRET_ACCESS_KEY", "foobar_secret")Which obviously is not what you want. I think that's because you're running scan for the annotations for all tests and you then hit the import for unit tests and you end up with A workaround here is to keep the tests in separate directory ("/integration" in my case) and then run it with:
Nevertheless, this is yet another workaround and if we'd have an option to control if it would be great. Something like For |
|
Can someone give the PR here a try and let me know if it solves the issue? #2285 |
|
@spulec isn't that the same thing effectively? After you patch a particular service, anyone who requests |
|
Well, this moved from happening on import to only happening when the moto context is activated so that seemed like an improvement. I understand what you are saying though. Given that boto/boto3 requires some form of authentication, I'm not sure what other options we have. It seems too painful to force everyone to change the client instantiations. We might be able to mock credentials via instance metadata, but that has been a struggle in the past. |
|
can't you instead temporarily monkeypatch the |
|
That assume the client is created after the mocking is activated, yeah? I don't know how popular it is, but I have seen a number of people that setup their clients at the module level. |
|
I think it's counter-intuitive to create a client, then say you want to
enable mocking s3, and then have that retroactively affect clients you've
already created. Perhaps this warrants a major version change.
…On Mon, Jul 15, 2019 at 6:47 PM Steve Pulec ***@***.***> wrote:
That assume the client is created after the mocking is activated, yeah? I
don't know how popular it is, but I have seen a number of people that setup
their clients at the module level.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2058>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA6Q77JVEUWZ7FZ4WBFDSQTP7USDVANCNFSM4GXJL2IA>
.
|
|
Hmmmm, I'm not sure. Given that the clients are lazy (at least in boto3), I don't have a good feel for how people think about them. Just to make sure I understand: is there a problem with the current approach? If it is only that a user reading the environment variables will see something different while the mock is activated, that doesn't seem like a huge deal to me (though please let me know if there is a use-case I'm not considering with this). |
|
Here's the scenario, before or after I enable s3 moto I create a dynamodb client to get secrets, i then enable s3 Moto, now my secrets calls fail. I need this secret because it contains the password for the mock DB we create. This is marginally better in that after import, but before enabling s3 mocking I can pull the password, but ideally mocking s3 should not affect dynamodb calls. |
|
Ah, I see. Because of various issues we've had in the past, I get extra nervous about allowing any sort of real connections to AWS when a user has any service activated. Some more here. I have even caught myself a few times where I forget to add the decorator for a particular service and am thankful that Moto throws an exception. I don't keep real credentials available, but it is clear that much of our userbase does. As far as defaults go, I'm tempted to lean toward anything AWS not working. If there is a way we could allow an explicit override of that, I would be in favor though. |
|
Perhaps then there should be an explicit global moto context to inform users what's happening |
|
I'm not sure I understand. Are you talking something like #2076 or something different? |
|
Since we fixed this to no longer happen on import, I am going to close this issue. If someone wants to take a shot at making this even less intrusive, I'm open to ideas. |
Here: https://github.com/spulec/moto/blob/master/moto/core/models.py#L26
These should only be set if you call a mock method, otherwise just importing moto can break various other calls which are not supposed to be mocked
The text was updated successfully, but these errors were encountered: