SharedCredentials not loading credentials if profile is a role

[mikelorant]

When trying to use Aws::SharedCredentials, I am finding that if the profile is assuming a role, that the access keys are being set to nil.

The file ~/.aws/credentials.

[default]
aws_access_key_id = id
aws_secret_access_key = key

[example]
role_arn = arn:aws:iam::12345678:role/example
source_profile = default

Working:

Aws> credentials = Aws::SharedCredentials.new(profile_name: 'default')
=> #<Aws::SharedCredentials profile_name="default" path="/home/user/.aws/credentials">
Aws> credentials.credentials
=> #<Aws::Credentials access_key_id="id">

Failing:

Aws> credentials = Aws::SharedCredentials.new(profile_name: 'example')
=> #<Aws::SharedCredentials profile_name="example" path="/home/user/.aws/credentials">
Aws> credentials.credentials
=> #<Aws::Credentials access_key_id=nil>

When I try to use the credentials I get the following error:

Aws::CloudFormation::Client.new(credentials: Aws::SharedCredentials.new(profile_name: 'example')).describe_stacks
Aws::Errors::MissingCredentialsError: unable to sign request without credentials set

Is this the correct way to assume a role that is an existing profile? Otherwise, what is the best way to deal with this?

[mikelorant]

Looking at the code here:
https://github.com/aws/aws-sdk-ruby/blob/master/aws-sdk-core/lib/aws-sdk-core/shared_credentials.rb

    def load_from_path
      profile = load_profile
      @credentials = Credentials.new(
        profile['aws_access_key_id'],
        profile['aws_secret_access_key'],
        profile['aws_session_token']
      )
    end

It is clear that this isn't supported as this is just looking for those specific keys. Will need to also handle role_arn and source_profile.

[trevorrowe]

We do not currently support loading assume role credentials from the shared credentials file. You can use Aws::AssumeRoleCredentials from your Ruby script to manage refreshing role credentials:

role_credentials = Aws::AssumeRoleCredentials.new(
  role_arn: "linked::account::arn",
  role_session_name: "session-name"
)
ec2 = Aws::EC2::Client.new(credentials: role_credentials)

Does this help?

[trevorrowe]

I'm going to close this and add supporting assume role credentials from ~/.aws/credentials to the feature requests.

[JonathanSerafini]

We use role_arn and source_profile extensively, with all of our accounts being created in a master authentication account and then access being delegated to child accounts via Assume role. So I've written a simple pull request to provide this functionality #998 which I hope meets with your approval.

[amancevice]

I just had this problem and got around it by instantiating an STS client and then getting the credentials:

shared_creds = Aws::SharedCredentials.new(profile_name: 'default')
sts = Aws::STS::Client.new(credentials: shared_creds)
sts.config.credentials.credentials
# => #<Aws::Credentials access_key_id="ASIABLAHBLAH">

[scalp42]

@amancevice running into the same issue:

irb(main):010:0> shared_creds = Aws::SharedCredentials.new(profile_name: 'my_profile')
=> #<Aws::SharedCredentials profile_name="my_profile" path="/Users/scalp/.aws/credentials">
irb(main):011:0> sts = Aws::STS::Client.new(credentials: shared_creds)
=> #<Aws::STS::Client>
irb(main):012:0> sts.config.credentials.credentials
=> nil

Do you have any idea by any chance?

[alextwoods]

The SharedCredentials will only load static credentials from a profile - to get profiles with an assume rule from a profile you'll need to use the credential provider chain that is part of client creation. We don't offer a public interface to it, but you can instantiate a client and get the credentials from the config:

sts = Aws::STS::Client.new(profile:  'default')
shared_creds = sts.config.credentials