-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AssumeRole using STSClient #2178
Comments
Hi @nesar77,
Note that the above will also disable checking for credentials in the config file. If you would prefer specifying a credentials for the STS client, you could also fix this by setting the credentials variable with hard coded credentials or a specific credentials provider. |
Hi @SamRemis, thanks a lot for your suggestion but I'm still getting the same error. `{"error":"Cannot read credentials from /.aws/credentials"}
|
@nesar77, would you be able to post the code that you're using to initialize the clients? That way I could potentially reproduce it on my local- I haven't been able to yet. |
Hi @nesar77, |
Hi @SamRemis , working on your suggestion. Using the following code returns an access denied error
this is the detailed error Using the following example the sts client is looking for the credential file but I've setted the param use_aws_shared_config_files to false. |
@nesar77 It appears that the detailed error link is broken. The access denied error suggests you are using invalid credentials. The fact that it occurs in the WrappedHttpHandler on line 97 tells me that your request was sent successfully but rejected by the service (so you didn't have access to STS or S3 with the credentials given). As for as the |
I'm not sure what's going on since I don't have access to the source to see how you're using the credentials. To me, it just looks like something is blocked using the bucket policy or bad credentials. If you post the code for your client constructors, I may be able to see more. It's likely that your CLI is using different credentials than your SDK. The stack trace just says that the request went out properly and S3 returned an error response with access denied. |
This is the constructor:
and this is the setClient function, the value of hasAuth() is false
|
The S3 client constructor that is in the else statement could be why you're still seeing it attempting to access those files. Either specify a credentials provider there, or add the use_aws_shared_config_files = false and let it go through the default chain without it. |
Hi @SamRemis ,
` |
I am getting access denied error using AWS PHP SDK $stsClient = new Aws\Sts\StsClient([ $ARN = "MyARN Role"; $result = $stsClient->AssumeRole([ |
Hi everyone, Can you confirm if you're still experiencing this issue? If so, can you also confirm whether or not instantiating a |
This issue has not recieved a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled. |
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
In an eks cluster, using the sdk I'm not able to initialize the s3 client correctly as reported by the guide
https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_assume_role.html
I'm getting the error:
error: "Cannot read credentials from /.aws/credentials" but the ini file is not setted.
Version of AWS SDK for PHP?
3.158.1
Version of PHP (
php -v
)?PHP 7.4.13 (cli) (built: Dec 11 2020 08:24:16) ( NTS )
To Reproduce (observed behavior)
`
self::$__stsclient = new StsClient(
[
'profile' => 'arn:aws:iam:instance-profile/pod-role',
'version' => 'latest',
'region' => 'eu-west-1',
]
);
$result = self::$__stsclient->AssumeRole([
'RoleArn' => 'arn:aws:iam::ROLE',
'RoleSessionName' => 'sessionname',
]);
Expected behavior
I'm not able to use the S3 storage
Additional context
docker image
FROM php:7.4-apache
The text was updated successfully, but these errors were encountered: