-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws temporary credentials doesn't use the default credentials provider chain #1064
Comments
@nickwhiggins |
@chrisradek |
@nickwhiggins var AWS = require('aws-sdk');
// Uses default providers if none are passed to the constructor
var credentialProviderChain = new AWS.CredentialProviderChain();
credentialProviderChain.resolve(function(err, creds) {
if (err) {
console.log('No master credentials available');
} else {
console.log('Master credentials available');
// Set master credentials
AWS.config.update({
credentials: creds
});
// create temporary credentials
AWS.config.update({
credentials: new AWS.TemporaryCredentials(/* params */)
});
}
}); We could potentially update the |
It works for us but ideally we think it should:
Adding 1 and 3 should not break current behaviour. |
Yes, this is really confusing behaviour imo. It works with some of the default credential providers, but not all. For me it worked when testing locally (which used SharedIniFileCredentials), but when deployed on an EC2 instance my program just crashed with a "TypeError: Cannot read property 'masterCredentials' of null". If not changed, at least it should be documented in http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/TemporaryCredentials.html that you have to do it like in @chrisradek's code sample if you need async provider support. |
@mifi |
Any update this on when this might be implemented? It is pretty surprising behavior, since with most other places where credentialProvider are used (say in service clients) the consumer takes care of resolving so the API appears "sync" to the end user. I have also done this same pattern of creating a service client with a specific |
Ran into this problem today, the EC2 instance has access to STS AssumeRole via a role itself and AWS.TemporaryCredentials fails with the "Cannot read property 'masterCredentials' of null" error. For others that have this problem, the SDK now (as of 2.7.28) has a second parameter to the TemporaryCredentials constructor that takes the master credentials, so you can fix it yourself. Use the CredentialProviderChain as per above, or even EC2MetadataCredentials explicitly to acquire some. BUT, it's not enough. The credentials provided for the role via the metadata service are temporary themselves, so now you need to manage the refreshing of the master credentials yourself if you run a server, or get them on every request to AssumeRole. Pain in the behind and error prone. Everything else in the SDK works out-of-the-box with roles, so it's quite inconsistent from a developer point of view. +1 to just using the default CredentialProviderChain here, so that it simply works the same way whether using an ini file or an EC2 role transparently. |
Any updates on this? Ran into this exact issue today, would be great if TemporaryCredentials was handling the default provider credential chain in a consistent manner w.r.t the other SDK services. |
Another "me too". I need to specify a profile that gets used to load the credentials that the temporary credentials provider can use to assume a role. For example: var params = {
Credentials: new AWS.SharedIniFileCredentials({ profile: argv.profile }),
RoleArn: argv['role-arn'],
SerialNumber: argv['mfa-serial'],
TokenCode: argv['mfa-token'],
};
AWS.config.credentials = new AWS.TemporaryCredentials(params); Then all my connections to AWS resources should use the temporary credentials provided by the assumed role, except for the calls to STS itself, which would use the credentials provided by the specified profile in my |
Okay, an update: I actually was able to do this fairly easily. There was a problem - which I'll explain below. First, what I'm doing now (note that this is in a script intended to be run from the CLI). // set my master credentials to ones that read use the profile in the ~/.aws/credentials file
AWS.config.credentials = new AWS.SharedIniFileCredentials({ profile: argv.profile });
var params = {
RoleArn: argv['role-arn'],
SerialNumber: argv['mfa-serial'],
TokenCode: argv['mfa-token'],
};
// now override the master credentials with temporary credentials that will use
// STS.assumeRole. This credentials object will use the one set above as its
// credentials for calling STS.assumeRole. It does this automatically.
AWS.config.credentials = new AWS.TemporaryCredentials(params);
startupPromise = Q.ninvoke(AWS.config.credentials, 'refresh');
}
startupPromise
.then(function() {
return runYourScript();
})
.done(); The problem seems to be that By calling refresh and making sure it completes before I start the script, I ensure that only one operation is using the one-time code, and the credentials are loaded from STS correctly before the script even starts. |
@jthomerson Would you mind copying that comment into a new issue? I don't believe it's directly related to the OP, but it is something we can likely address. |
I had a similar problem and I was getting the error message I could get rid of that strange error message doing this way:
|
This should be resolved in the next release by #2175 using |
Closing out this issue. |
We would like to be able to use temporary credentials with master credentials pulling from the default credentials provider chain. Currently as far as we can the only way to do this is to explicitly set the global AWS.config.credentials field with a credential provider on startup asynchronously which opens the risk of the credentials not being set when the temporary credentials are called.
Ideally we would like to be able to set the credentials explicitly when creating the temporary credentials and have it fallback to using the default credentials provider if the global credentials are not set.
The text was updated successfully, but these errors were encountered: