Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow alternate credential profiles to be specified #3241

Closed
dunka opened this issue Jun 4, 2022 · 7 comments
Closed

Allow alternate credential profiles to be specified #3241

dunka opened this issue Jun 4, 2022 · 7 comments
Labels
kind/tracking This issue is being tracked internally scope/ECS Anywhere

Comments

@dunka
Copy link

dunka commented Jun 4, 2022

Summary

The ecs-agent uses the "default" profile from root and does not provide an option to specify an alternative.

Description

In some cases credentials are present under an alternate profile name in the root credentials file (/root/.aws/credentials). It would be great if we could pass a config flag to use an alternate profile name.

This seems like it should be a straight forward feature, changing the hard coded https://github.com/aws/amazon-ecs-agent/blob/master/agent/credentials/providers/rotating_shared_credentials_provider.go#L48 to read from a config option and of course updating the bits around reading and passing around the option from the ecs.config.

It could default to "default" to ensure existing users don't have to change anything.
@sparrc
Copy link
Contributor

sparrc commented Jun 6, 2022

Hello, thanks for opening this issue, I can confirm that specifying a custom profile for the SSM agent (via https://github.com/aws/amazon-ssm-agent#config-property-definitions) will cause problems since we hardcoded this cred provider to use "default".

To solve this we would need to add a config var called something like ECS_EXTERNAL_CREDENTIAL_PROFILE="default"

@mssrivas mssrivas added kind/tracking This issue is being tracked internally scope/ECS Anywhere labels Jul 12, 2022
@sunds
Copy link

sunds commented Aug 3, 2022

If the hardcoded default profile is removed, the SharedCredentialsProvider will honor the standard AWS_PROFILE environment variable, or it will choose "default" if not set. AWS_PROFILE can be set in /etc/ecs/ecs.config

#3326

@Realmonia Realmonia mentioned this issue Aug 5, 2022
Closed
@fierlion
Copy link
Member

#3360 <- I did a quick rebase or your 3326 pr against the head of dev and am running functional tests. Even with the assurance that the SDK will assume 'default' we'll still want to build in a config var to make sure this is always set.

@fierlion
Copy link
Member

fierlion commented Aug 25, 2022
edited
Loading 

--- FAIL: TestGMSAWithS3CredentialSpec (35.31s)
--- FAIL: TestV3TaskEndpointDefaultMode (356.62s)
--- FAIL: TestEnvFilePrecedence2EnvFiles (326.54s)
--- FAIL: TestEnvFilePrecedenceTaskDefEnvironment (56.01s)

this failed a subset of windows functional tests.

I'll work out a revision with the config var and run the tests again.

@sunds
Copy link

sunds commented Aug 26, 2022

Thanks for this. Your approach is the better one.

@fierlion fierlion mentioned this issue Aug 26, 2022
Merged
@fierlion
Copy link
Member

Note the above change was merged and will go out with the next release. Will close this ticket once the release is completed.

@ubhattacharjya
Copy link
Contributor

Hi,

Since this has been released, I am closing the issue. Kindly reopen if the issues persists.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/tracking This issue is being tracked internally scope/ECS Anywhere
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sunds @dunka @fierlion @sparrc @ubhattacharjya @mssrivas