aws-lite icon indicating copy to clipboard operation
aws-lite copied to clipboard
verified publisher icon architect

`getCredentials` Doesn't Consider Environments That Don't Need Them

Open shellscape opened this issue 2 years ago • 3 comments

Describe the issue

The getCredentials method https://github.com/architect/aws-lite/blob/4f0aba7a28a33db1494f22b7cfd41f226050aec2/src/get-creds.js#L2-L16 doesn't take into account various AWS environments that don't require credentials.

In this case, we're trying to use aws-lite within a docker container for CodeBuild which already has the appropriate roles and doesn't need to explicitly set credentials.

Expected behavior

Allow pass-through for CodeBuild

Steps to reproduce

This is fairly difficult to present succinctly. It would involve creating a CodeBuild project with a docker container containing a distribution or bundle that includes aws-lite, using one of the cached AWS images such like:

FROM public.ecr.aws/codebuild/amazonlinux2-aarch64-standard:3.0
WORKDIR /usr/app
COPY dist ./

Adding a role with appropriate permissions, like PutObject to S3. And then running the project.

Platform / version

  • OS + version: (e.g. iOS 17.2)
  • Node version: (e.g. Node.js 20.5)
  • Package manager version: (e.g. npm 10.2)
  • Browser: (e.g. Chrome 70.5, if applicable)

How urgent do you feel this bug is?

P1

Additional context

I chose P1 because it's blocking us from using aws-lite in the context we were hoping to.

shellscape avatar Jan 18 '24 03:01 shellscape

Thanks for the heads up @shellscape! To be up front, I haven't used CodeBuild much, so apologies in advance for any naive questions that may arise.

First, I don't believe there's any inherent authentication we aren't passing through here; API requests across the spectrum of AWS services (now) rely on signature v4 (ref1, ref 2), and that signing process ultimately relies on keys.

Per the credential provider chain, this may occur via a call that fetches (temporary) credentials to be used for signing API requests. So to the best of my knowledge, there aren't environments that "don't require credentials" per se, they just may acquire / have access to those credentials by means we haven't yet built support for yet. (See also: https://github.com/architect/aws-lite/issues/55)

If we can get some more information about how CodeBuild environments normally go about the authentication process, we can figure out the most direct path for getting similar support for that into aws-lite.

In the mean time: so you're able to assign CodeBuild an IAM role of some kind I assume? Does your CodeBuild image come with a version of AWS SDK already on disk? Because if so, perhaps you may be able to work around this current limitation by making an STS AssumeRole call to acquire the necessary creds to pass to aws-lite.

Unrelated and non-required: can you tell us more about what project/company this is for? Always nice to hear who's using the things we're working on!

ryanblock avatar Jan 18 '24 04:01 ryanblock

Thanks for the solid reply.

they just may acquire / have access to those credentials by means we haven't yet built support for yet. (See also: https://github.com/architect/aws-lite/issues/55)

Because if so perhaps you may be able to work around this current limitation by making an STS AssumeRoel call to acquire the necessary creds to pass to aws-lite.

I think this is what's happening behind the scenes in aws-sdk, because we've only used that until now. Once we had a proper role assigned to a thing, we didn't have to pass credentials. We're trying to reduce startup time in a container and that's why aws-lite was attractive. (aws-sdk v3 is worse than v2 lol)

Unrelated and non-required: can you tell us more about what project/company this is for? Always nice to hear who's using the things we're working on!

I cannot, yet :)

shellscape avatar Jan 19 '24 15:01 shellscape

I'm doing some further investigation into this and plotting out how we can support IMDS, which I believe is what we'll need for this case (and EC2 more broadly). Just to be certain: I'm assuming that your CodeBuild setup is configured for EC2? (Lambda normally has its creds instantiated as env vars, which aws-lite would automatically pick up.)

In the mean time, see if running AWS SDK v3's Node provider chain (fromNodeProviderChain) method to get creds won't move things along for the moment:

import { fromNodeProviderChain } from "@aws-sdk/credential-providers"
const credentialProvider = fromNodeProviderChain()
const result = await credentialProvider()
// {
//   accessKeyId: $key,
//   secretAccessKey: $secret,
//   ...
// }

Once you've gotten creds back, just pass them into aws-lite during instantiation.

ryanblock avatar Jan 20 '24 21:01 ryanblock

any movement on this? ran into this after upgrading arc/functions we share some helper code that lambda + ec2 tasks run

seems to work fine on lambda, but ec2 fails with You must supply AWS credentials via params, environment variables, or credentials file

frankleng avatar Jun 08 '24 10:06 frankleng

I'm under the weather, thanks for your patience. PRs welcome, workaround here: https://github.com/architect/aws-lite/issues/75#issuecomment-1902268105

ryanblock avatar Jun 08 '24 17:06 ryanblock