[BUG] AwsSigv4Signer does not correctly read roles from profile

[nick-bir]

What is the bug?

I am using AwsSigv4Signer lib to sign requests to AWS OSS cluster. I have following setup in my .credentials file:

[custom]
aws_access_key_id = KEY_ID
aws_secret_access_key = ACCESS_KEY

[default]
role_arn = arn:aws:iam::CUSTOM_ACCOUNT_ID:role/CustomAccess
source_profile = custom

I am getting error Profile default requires a role to be assumed, but no role assumption when I'm trying to connect to OSS with following options:

const options = AwsSigv4Signer({region: props.region})

As a workaround I managed to explicitly pass role assumer to the options, but no other aws-sdk v3 or even v2 client requires that, so I assume this is a bug:

const options = AwsSigv4Signer({
  region: props.region,
  getCredentials: defaultProvider({roleAssumer: getDefaultRoleAssumer()}),
});

How can one reproduce the bug?

1. Create aws profile that requires role assumption
2. try to use AwsSigv4Signer for any request

What is the expected behavior?

I expect that default role assumer should be used by opensearch client by default, if other assumer was not explicitly passed

What is your host/environment?

mac OS Ventura 13.5
npm 8.19.2
node v18.12.1
opensearch-client 2.3.1

[nhtruong]

There's an IMPORTANT note from this article:

if you intend to acquire credentials using EKS IAM Roles for Service Accounts then you must explicitly specify a value for roleAssumerWithWebIdentity. There is a default function available in @aws-sdk/client-sts package

And the provided example also has explicit roleAssumer:

defaultProvider({
  roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity({
    // You must explicitly pass a region if you are not using us-east-1
    region: "eu-west-1"
  }),
});

So, I don't think this is a bug on the client's Sigv4 Signer's end. It's just how @aws-sdk/credential-provider-nodes behaves. I agree that it's not very convenient. You should bring it up to credential-provider-nodes./

[nick-bir]

Reading the article that you sent, I found another simple convenient and working solution:

const credentials = fromNodeProviderChain();

This does seem to pick up everything I need. It's just a bit weird that all these providers work slightly different, but yeah, it does not look like an opensearch client signer bug.

[dblock]

@nick-bir Care to add something to the documentation for the next person? Maybe into https://github.com/opensearch-project/opensearch-js/blob/main/USER_GUIDE.md#authenticate-with-amazon-opensearch-service?

[nhtruong]

Reopen this issue to add this edge case to the doc.

[nick-bir]

Added #622, please let me know if it looks good to you