CredentialsProcess does not support credentials without expiration #1021

benabel-aws · 2023-12-19T20:04:08Z

Describe the bug

I am trying to run the credentials provider as specified in the latest documentation. It seems this issue is reported here: #340, but the rustdoc for the expected behavior does not reference this issue, which can be pretty confusing if you’re trying to initialize a credential chain using a credential_provider.

The credential_provider documentation (rustdoc) states that SessionToken and Expiration are both optional: here.

However, if you do not specify a SessionToken or Expiration, the config fails to load the credential. Specifically, the following is thrown:

Unhandled(Unhandled { source: DispatchFailure(DispatchFailure { source: ConnectorError { kind: Other(None), source: ProviderError(ProviderError { source: ProviderError(ProviderError { source: "Error retrieving credentials from external process, could not parse response: Expected field `Token` in response but it was missing" }) }), connection: Unknown } }), meta: ErrorMetadata { code: None, message: None, extras: None } })

If you do provide a SessionToken and Expiration, then rust correctly parses the configuration, but then fails when it tries to lookup an obviously bogus (or even empty) SessionToken .

Expected Behavior

The credential file should only need to specify Version, AccessKeyId, and SecretAccessKey. The other inputs should be optional. If this is user error, then the documentation should be updated to reflect the correct behavior.

This effectively means solving #340 but in the interim, maybe this issue can be referenced in the rustdoc here to prevent confusion?

Current Behavior

When using a credential_pass in the aws config, initializing a new configuration using the default credential chain fails

Unhandled(Unhandled { source: DispatchFailure(DispatchFailure { source: ConnectorError { kind: Other(None), source: ProviderError(ProviderError { source: ProviderError(ProviderError { source: "Error retrieving credentials from external process, could not parse response: Expected field `Token` in response but it was missing" }) }), connection: Unknown } }), meta: ErrorMetadata { code: None, message: None, extras: None } })

Reproduction Steps

#[tokio::main]
fn main() {
    let config = aws_config::defaults(BehaviorVersion:latest()).region("us-east-1").load().await;
    let client = Client::new(&config);    
    println!("{:?}", client.get_parameters().send().await);
}

Create an config using e.g. pass as a credential_process

~/.aws/config
[default]
region = us-east-1
output = json
credential_process = pass show aws/my-creds

Possible Solution

Resolve #340, or at least update here to prevent confusion?

Additional Information/Context

No response

Version

$ cargo tree | grep aws-
├── aws-config v1.1.1
│   ├── aws-credential-types v1.1.1
│   │   ├── aws-smithy-async v1.1.1
│   │   ├── aws-smithy-runtime-api v1.1.1
│   │   │   ├── aws-smithy-async v1.1.1 (*)
│   │   │   ├── aws-smithy-types v1.1.1
│   │   ├── aws-smithy-types v1.1.1 (*)
│   ├── aws-http v0.60.1
│   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-types v1.1.1
│   │   │   ├── aws-credential-types v1.1.1 (*)
│   │   │   ├── aws-smithy-async v1.1.1 (*)
│   │   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   │   ├── aws-smithy-types v1.1.1 (*)
│   ├── aws-runtime v1.1.1
│   │   ├── aws-credential-types v1.1.1 (*)
│   │   ├── aws-http v0.60.1 (*)
│   │   ├── aws-sigv4 v1.1.1
│   │   │   ├── aws-credential-types v1.1.1 (*)
│   │   │   ├── aws-smithy-http v0.60.1
│   │   │   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   │   │   ├── aws-smithy-types v1.1.1 (*)
│   │   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-smithy-async v1.1.1 (*)
│   │   ├── aws-smithy-http v0.60.1 (*)
│   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-types v1.1.1 (*)
│   ├── aws-sdk-sso v1.7.0
│   │   ├── aws-credential-types v1.1.1 (*)
│   │   ├── aws-http v0.60.1 (*)
│   │   ├── aws-runtime v1.1.1 (*)
│   │   ├── aws-smithy-async v1.1.1 (*)
│   │   ├── aws-smithy-http v0.60.1 (*)
│   │   ├── aws-smithy-json v0.60.1
│   │   │   └── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-smithy-runtime v1.1.1
│   │   │   ├── aws-smithy-async v1.1.1 (*)
│   │   │   ├── aws-smithy-http v0.60.1 (*)
│   │   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-types v1.1.1 (*)
│   ├── aws-sdk-ssooidc v1.7.0
│   │   ├── aws-credential-types v1.1.1 (*)
│   │   ├── aws-http v0.60.1 (*)
│   │   ├── aws-runtime v1.1.1 (*)
│   │   ├── aws-smithy-async v1.1.1 (*)
│   │   ├── aws-smithy-http v0.60.1 (*)
│   │   ├── aws-smithy-json v0.60.1 (*)
│   │   ├── aws-smithy-runtime v1.1.1 (*)
│   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-types v1.1.1 (*)
│   ├── aws-sdk-sts v1.7.0
│   │   ├── aws-credential-types v1.1.1 (*)
│   │   ├── aws-http v0.60.1 (*)
│   │   ├── aws-runtime v1.1.1 (*)
│   │   ├── aws-smithy-async v1.1.1 (*)
│   │   ├── aws-smithy-http v0.60.1 (*)
│   │   ├── aws-smithy-json v0.60.1 (*)
│   │   ├── aws-smithy-query v0.60.1
│   │   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-smithy-runtime v1.1.1 (*)
│   │   ├── aws-smithy-runtime-api v1.1.1 (*)
│   │   ├── aws-smithy-types v1.1.1 (*)
│   │   ├── aws-smithy-xml v0.60.1
│   │   ├── aws-types v1.1.1 (*)
│   ├── aws-smithy-async v1.1.1 (*)
│   ├── aws-smithy-http v0.60.1 (*)
│   ├── aws-smithy-json v0.60.1 (*)
│   ├── aws-smithy-runtime v1.1.1 (*)
│   ├── aws-smithy-runtime-api v1.1.1 (*)
│   ├── aws-smithy-types v1.1.1 (*)
│   ├── aws-types v1.1.1 (*)
├── aws-sdk-ssm v1.7.0
│   ├── aws-credential-types v1.1.1 (*)
│   ├── aws-http v0.60.1 (*)
│   ├── aws-runtime v1.1.1 (*)
│   ├── aws-smithy-async v1.1.1 (*)
│   ├── aws-smithy-http v0.60.1 (*)
│   ├── aws-smithy-json v0.60.1 (*)
│   ├── aws-smithy-runtime v1.1.1 (*)
│   ├── aws-smithy-runtime-api v1.1.1 (*)
│   ├── aws-smithy-types v1.1.1 (*)
│   ├── aws-types v1.1.1 (*)



### Environment details (OS name and version, etc.)

MacOS, Darwin 22.6.0, xnu-8796.141.3~6/RELEASE_ARM64_T6000 arm64 

### Logs

_No response_

The text was updated successfully, but these errors were encountered:

rcoh · 2023-12-20T14:25:29Z

Yep this is a bug. We'll get this fixed.

rcoh · 2023-12-20T17:20:10Z

Fix here: smithy-lang/smithy-rs#3335

It will probably be released sometime early in the new year

github-actions · 2024-01-11T20:31:58Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

benabel-aws added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 19, 2023

rcoh added p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Dec 20, 2023

rcoh changed the title ~~Rustdoc incorrectly specifies behavior~~ CredentialsProcess does not support credentials without expiration Dec 20, 2023

goabv assigned rcoh Jan 9, 2024

rcoh closed this as completed Jan 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CredentialsProcess does not support credentials without expiration #1021

CredentialsProcess does not support credentials without expiration #1021

benabel-aws commented Dec 19, 2023

rcoh commented Dec 20, 2023

rcoh commented Dec 20, 2023

github-actions bot commented Jan 11, 2024