Behavior of @aws-sdk/credential-providers fromTemporaryCredentials has changed and results in InvalidClientTokenId
#6869
Comments
jandppw
added
bug
github-actions
bot
added
the
potential-regression
In |
|
Mocking of what is the output from the credential provider log? import { fromTemporaryCredentials } from "@aws-sdk/credential-providers";
const provider = fromTemporaryCredentials({
logger: console,
params: {
RoleArn: "arn:aws:iam::123...456:role/{role}",
},
clientConfig: {
region: "us-west-2",
profile: "profile_name",
},
});
const credentials = await provider();output: when I run this I get credentials successfully. |
kuhe
added
the
response-requested
|
@kuhe Thanks for the response.
I do not really understand what you are saying here. If you assume there is something mocked in this test: there isn’t. There are new versions since yesterday. Thank you for the suggestion to add Here is the complete code, simplified to zoom in on the issue:
const { fromTemporaryCredentials } = require('@aws-sdk/credential-providers')
const { v4: uuidv4 } = require('uuid')
const { STSClient, GetCallerIdentityCommand } = require('@aws-sdk/client-sts')
/**
* @param {string} region
* @param {string} profile
* @returns {Promise<string>}
*/
async function accountId(region, profile) {
console.info('Using AWS credentials from `~/.aws/credentials to determine account id`')
/** @type {STSClient | undefined } */
const stsClient = new STSClient({ region, profile })
const command = new GetCallerIdentityCommand({})
const response = await stsClient.send(command)
const accountId = response.Account
console.info(' AWS Account ID retrieved') // do not log accountId
return accountId
}
/**
* @param {string} region
* @param {string} profile
* @param {string} rolePathAndName
* @returns {Promise<AWSv3ClientConfig>}
*/
async function clientConfig(region, profile, rolePathAndName) {
console.info('Using AWS credentials from `~/.aws/credentials` to assume role.')
const id = await accountId(region, profile)
const roleSessionName = `XXXXXX-${uuidv4()}`
/** @type {import('@aws-sdk/credential-providers').FromTemporaryCredentialsOptions} */
const fromTemporaryCredentialsOptions = {
logger: console, // NOTE: added as suggested by @kuhe
params: {
RoleArn: `arn:aws:iam::${id}:role/${rolePathAndName}`,
// Member must have length less than or equal to 64
RoleSessionName: roleSessionName,
DurationSeconds: 1800
},
clientConfig: { region, profile }
}
const credentialsProvider = fromTemporaryCredentials(fromTemporaryCredentialsOptions)
const credentials = await credentialsProvider()
console.info(` AWS credentials for role ${rolePathAndName} received (session name: ${roleSessionName}). Assuming.`)
return { region, credentials }
}
module.exports = {
clientConfig
}
const { clientConfig } = require('../../../common/awsV3ClientConfig')
const { profile, automatedTestRoleNameAndPath } = require('../../../common/developerInfo')
const region = 'eu-west-1'
describe('awsV3ClientConfig, function () {
describe('clientConfig', function () {
it('works', async function () {
const result = await clientConfig(region, profile, automatedTestRoleNameAndPath)
console.log(result)
result.should.be.an.Object()
})
…
})
})The output when using The output when using Note that getting the account id with The output when using |
github-actions
bot
removed
the
response-requested
|
We usually need a more specific reproduction sample repository for issues with this many variables that are unseen, such as ENV and credentials file(s). But, I have a theory as to what is happening. It is related to a fix in behavior for In v3.729.0, the region set in the profile takes precedence and in the latest version of the SDK the Your code-level configured region appears to be |
kuhe
added
the
response-requested
|
This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing. |
github-actions
bot
added
the
closing-soon
Thank you! That sounds like a sound theory based on a change after |
I'm sorry, but I probably have little more to give. The point is that I can run the above code with FYI: |
Indeed. Confirmed. This is
In this setting, the only configuration is a
If I combine this information with your theory, the following should be the case:
When using By you theory, As an experiment, I used As an experiment, I used As an experiment, I ran the test with the For As you can see, With I believe that this is not in line with your theory? |
|
@kuhe Is there any easy or less easy way you can suggest to have more logging? It would be interesting to see, e.g., what HTTP calls are actually finally made. There must be a difference there. |
github-actions
bot
removed
closing-soon
|
In a debugging session I found out that, using
In my In other words, the current code selects the |
|
When I hard code the I get the exact same error. In other words: the new implementation does not use the |
|
The following code, that uses STS |
Checkboxes for prior research
Describe the bug
When upgrading
@aws-sdk/credential-providersfrom3.721.0to3.742.0, our tests fail whenfromTemporaryCredentialsis called.According to
credential-providers/CHANGELOG.md, there are changes tofromTemporaryCredentialsin 3.731.0 and 3.734.0.Regression Issue
SDK version number
@aws-sdk/credential-providers@3.742.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v22.13.1
Reproduction Steps
The relevant code is:
This is general code, that has the intention to get temporary
credentialswhere the "user" gets necessary permissions by assuming a role (RoleArn). The user‘s credentials should be found in~/.aws/credentialsunder the givenprofile. The returnedcredentialsare then used in different places to create a client to perform commands, e.g.,(but we don’t get there).
Observed Behavior
Expected Behavior
Return the correct credentials for the role as before.
Possible Solution
No response
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: