Warning message from AWS Java SDK on startup about redundant profile prefix

[tomelliff]

• I am using the latest release of AWS Vault

$ aws-vault --version
v6.0.0-beta5

• I have provided my .aws/config (redacted if necessary)

[default]
region = eu-west-1

[profile organisation]

[profile account1-read-only]
role_arn = arn:aws:iam::1234567890:role/read-only
source_profile = organisation

[profile account1-admin-read-only]
role_arn = arn:aws:iam::1234567890:role/admin-read-only
source_profile = organisation
mfa_serial = arn:aws:iam::1234567890:mfa/user

...

• I have provided the debug output using aws-vault --debug (redacted if necessary)

When running a Java application locally I get the following warning from the AWS SDK:

WARNING: Your profile name includes a 'profile ' prefix. This is considered part of the profile name in the Java SDK, so you will need to include this prefix in your profile name when you reference this profile from your Java code.
May 20, 2020 5:43:41 PM com.amazonaws.auth.profile.internal.BasicProfileConfigLoader loadProfiles

for every profile in my ~/.aws/config file.

This happens regardless of whether AWS-Vault is actually used via aws-vault exec profile-name -- java -jar ... or if it's just ran directly (so without credentials from AWS-Vault).

This suggests that AWS-Vault shouldn't be expecting the profile prefix here if it wants to be fully compatible with the AWS SDKs. This warning is also mentioned in this Stack Overflow post but for an older warning 3 years ago so it sounds like it's been a problem for a while although I hadn't personally noticed it previously and was just flagged by a colleague.

We generate the config for AWS-Vault with all of the profiles for all of our accounts (even if the user doesn't have the necessary IAM permissions to assume them at that time) so we have a lot of these profiles and it creates a lot of noise on startup when people are developing locally.

Removing the profile prefix from the source profile block (that is empty) seems fine for AWS-Vault but if I remove the profile prefix from the target profile I get the following error:

$ aws-vault exec account1-read-only -- /usr/local/bin/aws sts get-caller-identity
aws-vault: error: exec: Error getting temporary credentials: profile account1-read-only: credentials missing

Adding the profile prefix back fixes things so that it correctly assumes the role indicated in the profile.

[mtibben]

This doesn't appear to be the behaviour of the AWS CLI - it adds the profile prefix, and doesn't recognise sections without it

$ aws configure --profile testprofile
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: us-west-2
Default output format [None]:
$ cat ~/.aws/config | grep testprofile
[profile testprofile]

Manually adding

[testprofile2]
region = us-west-2

$ aws s3 ls --profile testprofile2

The config profile (testprofile2) could not be found

[tomelliff]

Yeah this looks like it might be just the Java SDK doing something stupid as mentioned in this issue. I think this can probably be closed as an issue on the Java SDK's side as the other SDKs don't do this.