aws
MissingAuthenticationTokenException received when trying to get a secret using SecretManager using AWS_PROFILE, but works when doing the same operation with aws cli
Describe the bug
I receive MissingAuthenticationTokenException when trying to get a secret using the SDK(by passing the AWS_PROFILE env), but when using the aws cli, I receive the secret(so this is not a rights issue). Why does this happen? Am I doing something wrong?
Expected Behavior
To receive the secret
Current Behavior
I receive this error:
HTTP response code: 400
Resolved remote host IP address: 52.16.54.217
Request ID: bee39fc2-b461-4075-adbd-c3b3d233e9d9
Exception name: MissingAuthenticationTokenException
Error message: Missing Authentication Token
5 response headers:
connection : close
content-length : 89
content-type : application/x-amz-json-1.1
date : Wed, 29 Mar 2023 10:11:28 GMT
x-amzn-requestid : bee39fc2-b461-4075-adbd-c3b3d233e9d9
Reproduction Steps
I'm using SKD 1.8.9 and I compiled the example for getting a secret using secretManager. I only added support for ssl certificates in the code(using openssl).
After compiling the code, I ran the executable like this:
export AWS_PROFILE=PROFILE_NAME_PLACEHOLDER
export AWS_SDK_LOG_LEVEL=6
export SSL_CERT_DIR=/etc/ssl/certs
aws_test SECRET_NAME_PLACEHOLDER
But this returned the following response(I attached the whole logs below):
HTTP response code: 400
Resolved remote host IP address: 52.16.54.217
Request ID: bee39fc2-b461-4075-adbd-c3b3d233e9d9
Exception name: MissingAuthenticationTokenException
Error message: Missing Authentication Token
5 response headers:
connection : close
content-length : 89
content-type : application/x-amz-json-1.1
date : Wed, 29 Mar 2023 10:11:28 GMT
x-amzn-requestid : bee39fc2-b461-4075-adbd-c3b3d233e9d9
I also noticed that it tries to get a token by accessing the http://169.254.169.254/latest/api/token(which timeouts, because it's not accessible from outside), but it does that because it says that it failed to find credentials for that profile(the interesting thing, is that if I run the aws cli, it retrieves the secret, check below)
[ERROR] 2023-03-29 10:11:26.488 ProcessCredentialsProvider [140282429679424] Failed to find credential process's profile: PROFILE_NAME_PLACEHOLDER
[TRACE] 2023-03-29 10:11:26.488 EC2MetadataClient [140282429679424] Calling EC2MetadataService to get token
[TRACE] 2023-03-29 10:11:26.488 EC2MetadataClient [140282429679424] Retrieving credentials from http://169.254.169.254/latest/api/token
[TRACE] 2023-03-29 10:11:26.488 CurlHttpClient [140282429679424] Making request to http://169.254.169.254/latest/api/token
But if I run the same operation using aws cli(which uses boto3), I receive the secret:
export AWS_PROFILE=PROFILE_NAME_PLACEHOLDER
aws secretsmanager get-secret-value --secret-id SECRET_NAME_PLACEHOLDER --debug
$ aws --version
aws-cli/1.22.34 Python/3.10.6 Linux/5.19.0-35-generic botocore/1.29.36
My ~/.aws/config looks like this:
[default]
role_arn = arn:aws:iam::ID1_MASKED:role/cross-account-dev
source_profile = default
region = eu-west-1
[profile PROFILE_NAME_PLACEHOLDER]
role_arn = arn:aws:iam::ID1_MASKED:role/cross-account-dev
source_profile = default
region = eu-west-1
[profile profile2]
role_arn = arn:aws:iam::ID2_MASKED:role/cross-account-dev
source_profile = default
[profile profile3]
role_arn = arn:aws:iam::ID3_MASKED:role/cross-account-dev
source_profile = default
My ~/.aws/credentials contains this:
[default]
#aws_access_key_id = commented
#aws_secret_access_key = commented
#[default]
aws_access_key_id = AWS_ACCESS_KEY_MASKED
aws_secret_access_key = AWS_SECRET_ACCESS_KEY_MASKED
github_aws_sdk_2023-03-29-10.log
Possible Solution
No response
Additional Information/Context
No response
AWS CPP SDK version used
1.8.9
Compiler and Version used
gcc 9.5.0
Operating System and version
Ubuntu 22.04.1 LTS
I'm experiencing the same issue, as well. It reproduces even with la latest SDK version (1.11.53).
Until a proper fix, there is any workaround?
I'm having the same problem on Ubuntu 18.04, gcc 7.5.0, AWS CPP CDK 1.11. I've yet to find a workaround.
As a workaround, I've retrieved the role ARN from the AWS profile, using Aws::Config::AWSConfigFileProfileConfigLoader and with it and an Aws::STS::STSClient I've created an Aws::Auth::STSAssumeRoleCredentialsProvider object, from which the AWS credentials can be retrieved, through the GetAWSCredentials method.
I think another method is to retrieve the role ARN from the AWS profile, as described above, and call the AssumeRole of an Aws::STS::STSClient object. Then, an Aws::Auth::AWSCredentials object can be built from res.GetResult().GetCredentials().GetAccessKeyId(), res.GetResult().GetCredentials().GetSecretAccessKey() and res.GetResult().GetCredentials().GetSessionToken() calls, where the res is the AssumeRole method return object.
I am also seeing this error with pyarrow:
import pyarrow._s3fs
pyarrow._s3fs.initialize_s3(pyarrow._s3fs.S3LogLevel.Trace)
import pyarrow.fs
s3_fs = pyarrow.fs.S3FileSystem()
...
[DEBUG] 2023-05-12 21:09:32.904 Aws::Config::ConfigFileProfileFSM [140237186401216] Found credential_process <redacted>
[INFO] 2023-05-12 21:09:32.904 Aws::Config::AWSProfileConfigLoaderBase [140237186401216] Successfully reloaded configuration.
[TRACE] 2023-05-12 21:09:32.904 Aws::Config::AWSProfileConfigLoaderBase [140237186401216] reloaded config at 2023-05-12T21:09:32Z
[INFO] 2023-05-12 21:09:32.904 ProcessCredentialsProvider [140237186401216] Failed to find credential process's profile: default
Is there any update on this issue, I'm getting the same error MissingAuthenticationTokenException with ListQueues SDK call, when getting response through Postman on main call
