SharedCredentials does not parse the same INI format that the AWS CLI docs

[petemounce]

The AWS CLI multiple-profiles documentation specifies a format that the SharedCredentials class does not parse (the spec tests against a different format).

It makes sense for there only to be one format, and it would be really convenient if it matched the one the CLI tools expect and document.

[trevorrowe]

Can you highlight the differences you are referencing? I know the CLI supports multiple configuration targets including ~/.aws/config and ~/.aws/credentials that have similar formats but different features.

[petemounce]

I was referring to this:

The AWS CLI supports multiple profiles stored within the configuration file. The following example shows a file with two profiles:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region=us-east-1

[profile test-user]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
region=us-west-2

Whereas the mock file for the spec looks like

[fooprofile]
aws_access_key_id = ACCESS_KEY_1
aws_secret_access_key = SECRET_KEY_1
aws_session_token = TOKEN_1

[barprofile]
aws_access_key_id = ACCESS_KEY_2
aws_secret_access_key = SECRET_KEY_2
aws_session_token = TOKEN_2

The difference is that the CLI wants [profile <name>] whereas the SDK supports [nameprofile] (sorry, but I couldn't follow the parsing code to know whether that means it parses out a profile called nameprofile or name).

[trevorrowe]

I believe the linked documentation and example is for the CLI configuration file. This file is found at ~/.aws/config. It has a similar format but accepts additional options, such as region. I believe it also contains the profile prefix in the profile sections.

The CLI should support the shared credential file found at ~/.aws/credentials. While the structure of this file is similar to the CLI config, it should only contain credentials and does not have the "profile" prefix in the sections. @jamesls, can you confirm this?

That said, I find the documentation on these files is confusing and does not disambiguate the two files well. Also, I think it is an odd story for them to be so close and yet subtlety different. I have be considering exploring loading credentials and other things from the CLI config file, including region and others. I'm not sure what this would look like and what the story would be for CLI specific configuration options.

[petemounce]

I hadn't realised there were 2 files. Seems confusing especially since both
can have credentials. I wish there were just one, in an accepted consistent
format.

I mean, duplicating credentials between files for different SDKs and CLI
packages is right there a security risk, as much as it is inconvenient.

Sent from my phone. Please excuse terseness and typos, but don't forgive
text speak.
On 15 Jul 2014 20:31, "Trevor Rowe" notifications@github.com wrote:

I believe the linked documentation and example is for the CLI
configuration file. This file is found at ~/.aws/config. It has a similar
format but accepts additional options, such as region. I believe it also
contains the profile prefix in the profile sections.

The CLI should support the shared credential file found at
~/.aws/credentials. While the structure of this file is similar to the
CLI config, it should only contain credentials and does not have the
"profile" prefix in the sections. @jamesls https://github.com/jamesls,
can you confirm this?

That said, I find the documentation on these files is confusing and does
not disambiguate the two files well. Also, I think it is an odd story for
them to be so close and yet subtlety different. I have be considering
exploring loading credentials and other things from the CLI config file,
including region and others. I'm not sure what this would look like and
what the story would be for CLI specific configuration options.

—
Reply to this email directly or view it on GitHub
#75 (comment)
.

[trevorrowe]

I believe the issue is the CLI supported loading credentials from ~/.aws/config first. The decision was made to support loading credentials from their own separate file. This allows users to keep credentials separate from configuration.

In an ideal situation, the ~/.aws/config file would be shared by all language SDKs and tools, but this was already being consumed by the CLI with CLI specific configuration. I think there is still definitely room for moving towards this, but care needs to be taken to ensure backwards compatibility for existing use cases.

I would like to leave this issue open to track this until we can decide what should be happening and what needs to change. Thanks for your patience.

[jamesls]

@trevorrowe Yes I can confirm this. In the ~/.aws/config file, profiles are defined as:

[profile myprofile]
aws_access_key_id=foo
aws_secret_access_key=bar

This is because the CLI has other sections in the config file that aren't profiles (preview, plugins, etc), whereas in the ~/.aws/credentials sections are only profiles so there's no need for the profile prefix:

[myprofile]
aws_access_key_id=foo
aws_secret_access_key=bar

[jamesls]

FWIW, there's a proposal in the aws-cli repo about potential changes we could make to smooth over the distinction between ~/.aws/credentials and ~/.aws/config. Feedback welcome: aws/aws-cli#847

[trevorrowe]

I'm going to close this issue; There does not appear to be any additional work for the Ruby SDK at this time, as it supports the shared credentials file.

Based on the discussion in aws/aws-cli#847, it appears the AWS CLI will move towards defaulting to storing configured credentials in the same file. At this time, I would expect the AWS CLI documentation to be updated to reflect this, hopefully eliminating the primary confusion.