Environment variables set to empty cause silent failing of auth #1680
Labels
bug
This issue is a confirmed bug.
Comments
|
Hm, I think this sounds reasonable but it's also arguably a breaking change / not a forwards compatible change. It might be difficult to actually define what a 'valid' credential is in all contexts. For example, the actual value set may not matter in a testing context (if the responses are stubbed, etc.). Let me run this by some of the other members and see what they think. |
joguSD
added
the
investigating
|
Hello @joguSD, thanks for checking it my issue. Yeah, I can imagine how that can be a problem, so maybe the solution would be to just check if the actual values in os.environ are truthy ? that would prevent issues with empty strings |
|
I hit this as well. We deploy applications to Kubernetes using Terraform. For testing, we deploy on Minikube locally, which requires us to set the auth variables in Terraform. HCL still doesn't have conditionals, so they're always set - even when we use the same module to deploy to a k8s cluster in AWS which is intending to use IAM. As a result auth fails in the real deployment (since the env vars are set but are empty). I have a modification written & deployed right now that solves this. It does so conservatively by special-casing empty string values rather than checking truthiness. It does this for AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SECURITY_TOKEN, and AWS_ACCESS_TOKEN. I've got some tests in place for the empty string case. I'm running the test suite right now, I should have the PR open this afternoon (EST). Obviously merging it will be dependent not only on code quality but also on the concerns you've voiced above @joguSD . |
JordonPhillips
removed
the
investigating
|
Looks like the other AWS SDKs have the behavior of moving on to the next credential provider if the env var values are empty. I'm inclined to accept #1687. |
bors bot
referenced
this issue
in mozilla/normandy
May 28, 2019
1893: Update dependency webpack to v4.32.2 r=mythmon a=renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | References | |---|---|---|---|---| | webpack | devDependencies | patch | [`4.32.0` -> `4.32.2`](https://diff.intrinsic.com/webpack/4.32.0/4.32.2) | [source](https://togithub.com/webpack/webpack) | 1894: Scheduled weekly dependency update for week 21 r=mythmon a=pyup-bot ### Update [Babel](https://pypi.org/project/Babel) from **2.6.0** to **2.7.0**. <details> <summary>Changelog</summary> ### 2.7.0 ``` ------------- Possibly incompatible changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These may be backward incompatible in some cases, as some more-or-less internal APIs have changed. Please feel free to file issues if you bump into anything strange and we'll try to help! * General: Internal uses of ``babel.util.odict`` have been replaced with ``collections.OrderedDict`` from The Python standard library. Improvements ~~~~~~~~~~~~ * CLDR: Upgrade to CLDR 35.1 - Alberto Mardegan, Aarni Koskela (626, 643) * General: allow anchoring path patterns to the start of a string - Brian Cappello (600) * General: Bumped version requirement on pytz - chrisbrake (592) * Messages: `pybabel compile`: exit with code 1 if errors were encountered - Aarni Koskela (647) * Messages: Add omit-header to update_catalog - Cédric Krier (633) * Messages: Catalog update: keep user comments from destination by default - Aarni Koskela (648) * Messages: Skip empty message when writing mo file - Cédric Krier (564) * Messages: Small fixes to avoid crashes on badly formatted .po files - Bryn Truscott (597) * Numbers: `parse_decimal()` `strict` argument and `suggestions` - Charly C (590) * Numbers: don't repeat suggestions in parse_decimal strict - Serban Constantin (599) * Numbers: implement currency formatting with long display names - Luke Plant (585) * Numbers: parse_decimal(): assume spaces are equivalent to non-breaking spaces when not in strict mode - Aarni Koskela (649) * Performance: Cache locale_identifiers() - Aarni Koskela (644) Bugfixes ~~~~~~~~ * CLDR: Skip alt=... for week data (minDays, firstDay, weekendStart, weekendEnd) - Aarni Koskela (634) * Dates: Fix wrong weeknumber for 31.12.2018 - BT-sschmid (621) * Locale: Avoid KeyError trying to get data on WindowsXP - mondeja (604) * Locale: get_display_name(): Don't attempt to concatenate variant information to None - Aarni Koskela (645) * Messages: pofile: Add comparison operators to _NormalizedString - Aarni Koskela (646) * Messages: pofile: don't crash when message.locations can't be sorted - Aarni Koskela (646) Tooling & docs ~~~~~~~~~~~~~~ * Docs: Remove all references to deprecated easy_install - Jon Dufresne (610) * Docs: Switch print statement in docs to print function - NotAFile * Docs: Update all pypi.python.org URLs to pypi.org - Jon Dufresne (587) * Docs: Use https URLs throughout project where available - Jon Dufresne (588) * Support: Add testing and document support for Python 3.7 - Jon Dufresne (611) * Support: Test on Python 3.8-dev - Aarni Koskela (642) * Support: Using ABCs from collections instead of collections.abc is deprecated. - Julien Palard (609) * Tests: Fix conftest.py compatibility with pytest 4.3 - Miro Hrončok (635) * Tests: Update pytest and pytest-cov - Miro Hrončok (635) ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/babel - Changelog: https://pyup.io/changelogs/babel/ - Homepage: http://babel.pocoo.org/ - Docs: https://pythonhosted.org/Babel/ </details> ### Update [botocore](https://pypi.org/project/botocore) from **1.12.146** to **1.12.156**. <details> <summary>Changelog</summary> ### 1.12.156 ``` ======== * api-change:``mediastore-data``: Update mediastore-data client to latest version * api-change:``codedeploy``: Update codedeploy client to latest version * api-change:``opsworkscm``: Update opsworkscm client to latest version ``` ### 1.12.155 ``` ======== * api-change:``waf-regional``: Update waf-regional client to latest version * api-change:``ec2``: Update ec2 client to latest version ``` ### 1.12.154 ``` ======== * api-change:``efs``: Update efs client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``apigateway``: Update apigateway client to latest version * api-change:``worklink``: Update worklink client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``servicecatalog``: Update servicecatalog client to latest version * api-change:``devicefarm``: Update devicefarm client to latest version * api-change:``budgets``: Update budgets client to latest version ``` ### 1.12.153 ``` ======== * api-change:``datasync``: Update datasync client to latest version * api-change:``alexaforbusiness``: Update alexaforbusiness client to latest version ``` ### 1.12.152 ``` ======== * api-change:``kafka``: Update kafka client to latest version * api-change:``meteringmarketplace``: Update meteringmarketplace client to latest version * api-change:``mediapackage-vod``: Update mediapackage-vod client to latest version ``` ### 1.12.151 ``` ======== * api-change:``appstream``: Update appstream client to latest version ``` ### 1.12.150 ``` ======== * api-change:``medialive``: Update medialive client to latest version * api-change:``s3``: Update s3 client to latest version ``` ### 1.12.149 ``` ======== * api-change:``ec2``: Update ec2 client to latest version * api-change:``transcribe``: Update transcribe client to latest version * api-change:``mediapackage``: Update mediapackage client to latest version * api-change:``codepipeline``: Update codepipeline client to latest version * enhancement:Environment Variables: Ignore env var credentials is values are empty (`1680 <https://github.com/boto/botocore/issues/1680>`__) * api-change:``rds``: Update rds client to latest version ``` ### 1.12.148 ``` ======== * api-change:``comprehend``: Update comprehend client to latest version * api-change:``chime``: Update chime client to latest version * api-change:``storagegateway``: Update storagegateway client to latest version * api-change:``ec2``: Update ec2 client to latest version ``` ### 1.12.147 ``` ======== * api-change:``datasync``: Update datasync client to latest version * api-change:``iotanalytics``: Update iotanalytics client to latest version * api-change:``lambda``: Update lambda client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/botocore - Changelog: https://pyup.io/changelogs/botocore/ - Repo: https://github.com/boto/botocore </details> ### Update [cachetools](https://pypi.org/project/cachetools) from **3.1.0** to **3.1.1**. <details> <summary>Changelog</summary> ### 3.1.1 ``` ------------------- - Document how to use shared caches with ``cachedmethod``. - Fix pickling/unpickling of cache keys ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/cachetools - Changelog: https://pyup.io/changelogs/cachetools/ - Repo: https://github.com/tkem/cachetools </details> ### Update [Faker](https://pypi.org/project/Faker) from **1.0.6** to **1.0.7**. <details> <summary>Changelog</summary> ### 1.0.7 ``` --------------------------------------------------------------------------------- * Remove dead url from ``image_placeholder_services``. Thanks Monstrofil. * Fix missing ``first_names`` in Romanian person provider. Thanks xlotlu. * Add Catalan, adds doi/nie/nif/cif to Spain ssn. Thanks kingbuzzman. * Add ``texts`` to generate list of texts. Thanks pishchalnikov. * Add provider for ``pl_PL`` automotive and Polish pesel number. Thanks adwojak. * Corrected behavior for ``pyfloat``. Thanks ariksu. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/faker - Changelog: https://pyup.io/changelogs/faker/ - Repo: https://github.com/joke2k/faker </details> ### Update [google-api-core](https://pypi.org/project/google-api-core) from **1.10.0** to **1.11.0**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/google-api-core - Repo: https://github.com/GoogleCloudPlatform/google-cloud-python </details> ### Update [google-cloud-core](https://pypi.org/project/google-cloud-core) from **0.29.1** to **1.0.0**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/google-cloud-core - Repo: https://github.com/GoogleCloudPlatform/google-cloud-python </details> ### Update [googleapis-common-protos](https://pypi.org/project/googleapis-common-protos) from **1.5.10** to **1.6.0**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/googleapis-common-protos - Repo: https://github.com/googleapis/googleapis </details> ### Update [Pygments](https://pypi.org/project/Pygments) from **2.4.0** to **2.4.1**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/pygments - Homepage: http://pygments.org/ </details> ### Update [ruamel.yaml](https://pypi.org/project/ruamel.yaml) from **0.15.94** to **0.15.96**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/ruamel.yaml - Repo: https://bitbucket.org/ruamel/yaml </details> ### Update [sphinxcontrib-websupport](https://pypi.org/project/sphinxcontrib-websupport) from **1.1.0** to **1.1.2**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/sphinxcontrib-websupport - Homepage: http://sphinx-doc.org/ </details> ### Update [boto3](https://pypi.org/project/boto3) from **1.9.146** to **1.9.156**. <details> <summary>Changelog</summary> ### 1.9.156 ``` ======= * api-change:``mediastore-data``: [``botocore``] Update mediastore-data client to latest version * api-change:``codedeploy``: [``botocore``] Update codedeploy client to latest version * api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version ``` ### 1.9.155 ``` ======= * api-change:``waf-regional``: [``botocore``] Update waf-regional client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version ``` ### 1.9.154 ``` ======= * api-change:``efs``: [``botocore``] Update efs client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``apigateway``: [``botocore``] Update apigateway client to latest version * api-change:``worklink``: [``botocore``] Update worklink client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version * api-change:``devicefarm``: [``botocore``] Update devicefarm client to latest version * api-change:``budgets``: [``botocore``] Update budgets client to latest version ``` ### 1.9.153 ``` ======= * api-change:``datasync``: [``botocore``] Update datasync client to latest version * api-change:``alexaforbusiness``: [``botocore``] Update alexaforbusiness client to latest version ``` ### 1.9.152 ``` ======= * api-change:``kafka``: [``botocore``] Update kafka client to latest version * api-change:``meteringmarketplace``: [``botocore``] Update meteringmarketplace client to latest version * api-change:``mediapackage-vod``: [``botocore``] Update mediapackage-vod client to latest version ``` ### 1.9.151 ``` ======= * api-change:``appstream``: [``botocore``] Update appstream client to latest version ``` ### 1.9.150 ``` ======= * api-change:``medialive``: [``botocore``] Update medialive client to latest version * api-change:``s3``: [``botocore``] Update s3 client to latest version ``` ### 1.9.149 ``` ======= * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``mediapackage``: [``botocore``] Update mediapackage client to latest version * api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version * enhancement:Environment Variables: [``botocore``] Ignore env var credentials is values are empty (`1680 <https://github.com/boto/botocore/issues/1680>`__) * api-change:``rds``: [``botocore``] Update rds client to latest version ``` ### 1.9.148 ``` ======= * api-change:``comprehend``: [``botocore``] Update comprehend client to latest version * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version ``` ### 1.9.147 ``` ======= * api-change:``datasync``: [``botocore``] Update datasync client to latest version * api-change:``iotanalytics``: [``botocore``] Update iotanalytics client to latest version * api-change:``lambda``: [``botocore``] Update lambda client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/boto3 - Changelog: https://pyup.io/changelogs/boto3/ - Repo: https://github.com/boto/boto3 </details> ### Update [dockerflow](https://pypi.org/project/dockerflow) from **2018.4.0** to **2019.5.0**. <details> <summary>Changelog</summary> ### 2019.5.0 ``` ^^^^^^^^^^^^^^^^^^^^^ - Gracefully handle user loading to prevent accidental race condtions during exception handling when using the Flask Dockerflow extension. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/dockerflow - Changelog: https://pyup.io/changelogs/dockerflow/ - Repo: https://github.com/mozilla-services/python-dockerflow </details> ### Update [google-cloud-storage](https://pypi.org/project/google-cloud-storage) from **1.15.0** to **1.16.0**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/google-cloud-storage - Repo: https://github.com/GoogleCloudPlatform/google-cloud-python </details> ### Update [kinto-http](https://pypi.org/project/kinto-http) from **10.4.0** to **10.4.1**. <details> <summary>Changelog</summary> ### 10.4.1 ``` =================== **Bug fixes** - Handle bearer tokens without a colon. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/kinto-http - Changelog: https://pyup.io/changelogs/kinto-http/ - Repo: https://github.com/Kinto/kinto-http.py/ </details> ### Update [newrelic](https://pypi.org/project/newrelic) from **4.18.0.118** to **4.20.0.120**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/newrelic - Changelog: https://pyup.io/changelogs/newrelic/ - Homepage: http://newrelic.com/docs/python/new-relic-for-python </details> ### Update [requests](https://pypi.org/project/requests) from **2.21.0** to **2.22.0**. <details> <summary>Changelog</summary> ### 2.22.0 ``` ------------------- **Dependencies** - Requests now supports urllib3 v1.25.2. (note: 1.25.0 and 1.25.1 are incompatible) **Deprecations** - Requests has officially stopped support for Python 3.4. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/requests - Changelog: https://pyup.io/changelogs/requests/ - Homepage: http://python-requests.org </details> ### Update [django-extensions](https://pypi.org/project/django-extensions) from **2.1.6** to **2.1.7**. <details> <summary>Changelog</summary> ### 2.1.7 ``` ----- Changes: - New: test, many many more tests :-) thanks everybody - New: docs, many documentation updates - New: graph_model, add simple theming support and django2018 theme - Improvement: ModificationDateTimeField, make modificationfield name modifiable - Improvement: graph_model, option to not showrelations labels in the graph - Improvement: reset_db, allow to override list of backends for database engines - Improvement: reset_db, add psqlextra backend - Improvement: runserver_plus, idle support - Improvement: generate_secret_key, removed get_random_string in favour of get_random_secret_key - Improvement: update_permissions, add create-only and update-only flags - Improvement: update_permissions, update changed names of permission to match correct permission name - Improvement: syncdata, add --database option - Improvement: runscript, allow to override RUNSCRIPT_SCRIPT_DIR - Fix: create_command, fix mknod error on macos - Fix: runserver_plus, fix in resolving ssl certificate path - Fix: sqldiff, fix hstorefield - Deprecate: truncate_letters, use Django's truncatechars - Deprecate: passwd, use Django's changepassword - Deprecate: Keyczar encrypted fields, Keyczar is abandonned / deprecated ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/django-extensions - Changelog: https://pyup.io/changelogs/django-extensions/ - Repo: http://github.com/django-extensions/django-extensions </details> ### Update [PyDriller](https://pypi.org/project/PyDriller) from **1.7** to **1.8**. <details> <summary>Changelog</summary> ### 1.8 ``` - better handling of merge commits - fix bug in decoding diffs and source code that was causing many diffs to be skipped - include new filter **only_releases** - now modification has the source code of before and after the change ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/pydriller - Changelog: https://pyup.io/changelogs/pydriller/ - Repo: https://github.com/ishepard/pydriller </details> ### Update [Werkzeug](https://pypi.org/project/Werkzeug) from **0.15.2** to **0.15.4**. <details> <summary>Changelog</summary> ### 0.15.4 ``` -------------- Unreleased ``` ### 0.15.3 ``` -------------- Released 2019-05-14 - Properly handle multi-line header folding in development server in Python 2.7. (:issue:`1080`) - Restore the ``response`` argument to :exc:`~exceptions.Unauthorized`. (:pr:`1527`) - :exc:`~exceptions.Unauthorized` doesn't add the ``WWW-Authenticate`` header if ``www_authenticate`` is not given. (:issue:`1516`) - The default URL converter correctly encodes bytes to string rather than representing them with ``b''``. (:issue:`1502`) - Fix the filename format string in :class:`~middleware.profiler.ProfilerMiddleware` to correctly handle float values. (:issue:`1511`) - Update :class:`~middleware.lint.LintMiddleware` to work on Python 3. (:issue:`1510`) - The debugger detects cycles in chained exceptions and does not time out in that case. (:issue:`1536`) - When running the development server in Docker, the debugger security pin is now unique per container. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/werkzeug - Changelog: https://pyup.io/changelogs/werkzeug/ - Homepage: https://palletsprojects.com/p/werkzeug/ </details> Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: pyup-bot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
recently, we stumbled upon an interesting 'bug' that took us some time to resolve - we had set
AWS_ACCESS_KEY_IDenv variable set to empty, which resulted of having it inos.environas empty string. If it's there as an empty string, it causes config resolver to use EnvProvider - even if it's clearly invalid. While i realize that this issue is caused by us, I would like to propose a small improvement to EnvProvider - which will not only check if env variables are set - but also if they're valid and log/error out when that's not the case, allowing users for quicker debugging.If I can help with the implementation, please let me know, I would gladly take a stab at it.
Regards,
Piotr
The text was updated successfully, but these errors were encountered: