Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS_ROLE_ARN env variable doesnt work without setting up config file #5639

Open
3 tasks done
tbua opened this issue Oct 15, 2020 · 7 comments
Open
3 tasks done

AWS_ROLE_ARN env variable doesnt work without setting up config file #5639

tbua opened this issue Oct 15, 2020 · 7 comments
Assignees
Labels
configuration documentation This is a problem with documentation. feature-request A feature should be added or improved. p2 This is a standard priority issue

Comments

@tbua
Copy link

tbua commented Oct 15, 2020

Confirm by changing [ ] to [x] below:

Issue is about usage on:

  • CLI : passing arguments or cli configurations.

Platform/OS/Hardware/Device
What are you running the cli on?
Windows10Pro V1903

Describe the question
AWS_ROLE_ARN is an environment variable supported by the cli as shown in this doc, but I can't seem to use it purely as an environment variable without having to set up a profile in .aws/config file.

Desired usage:

export AWS_ACCESS_KEY_ID=AKxxxx
export AWS_SECRET_ACCESS_KEY=yyyyy
export AWS_ROLE_ARN= arn:aws:iam::<account_id>:role/<role_name>

What I have to do instead to make it work (with additional settings for ~/.aws/config):

export AWS_ACCESS_KEY_ID=AKxxxx
export AWS_SECRET_ACCESS_KEY=yyyyy
aws configure set role_arn arn:aws:iam::<account_id>:role/<role_name>
aws configure set credential_source Environment

I'm not sure if this is a bug, or that it's just not part of the feature support for AWS_ROLE_ARN. But it will be very useful to be able to set everything in the environment variable without having to touch the file directory. Similar issue has been opened in aws-sdk-go issue aws/aws-sdk-go-v2#2867

@tbua tbua added guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Oct 15, 2020
@tbua tbua changed the title AWS_ROLE_ARN env variable doesnt work without adding settings config file AWS_ROLE_ARN env variable doesnt work without adding settings in config file Oct 15, 2020
@tbua tbua changed the title AWS_ROLE_ARN env variable doesnt work without adding settings in config file AWS_ROLE_ARN env variable doesnt work without setting up config file Oct 15, 2020
@kdaily kdaily added configuration investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 16, 2020
@kdaily kdaily self-assigned this Oct 16, 2020
@kdaily
Copy link
Member

kdaily commented Oct 19, 2020

Hi @tbua, thanks for reporting. I believe that this is not currently supported, according to this documentation:

https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles

Note that configuration variables for using IAM roles can only be in the AWS CLI config file.

At this time I'm not sure what the restriction is, but I'll find out. I'll also mark this as a documentation issue for the user guide to make it consistent.

@kdaily kdaily added the documentation This is a problem with documentation. label Oct 19, 2020
@rittneje
Copy link

The lack of this feature is causing problems for us. Our build job loads the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, and needs to then assume a role to perform any operations. Since AWS_ROLE_ARN isn't an accepted env var, I had to make a profile that specified the role_arn and credential_source = Environment.

However, the documentation explains that if both AWS_PROFILE and AWS_ACCESS_KEY_ID are set, AWS_PROFILE is completely ignored. https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

If AWS_PROFILE environment variable is set and the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set, then the credentials provided by AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will override the credentials located in the profile provided by AWS_PROFILE.

This basically makes specifying credential_source = Environment completely pointless, since my only option is to manually pass --profile=<profile> to every single CLI command. Worse, aws eks update-kubeconfig records the profile as an env var in ~/.kube/config instead of using the --profile option, meaning that kubectl doesn't work at all in this setup.

Please add AWS_ROLE_ARN as an environment variable to fill in the gap, and deprecate credential_source = Environment since it cannot work as expected given the precedence order of env vars.

@kdaily kdaily added feature-request A feature should be added or improved. and removed guidance Question that needs advice or information. investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Oct 21, 2020
@kdaily
Copy link
Member

kdaily commented Oct 21, 2020

Hi @rittneje,

Thanks for the feedback. Part of the reason to require it to be in a profile in the configuration is to better support credential chaining (using one role to get access to another account or role). Your use case is noted, so marking this as a feature request.

@stawii
Copy link

stawii commented Nov 10, 2020

Making feature that is well documented to actually work is a "feature request"? :)

@kdaily
Copy link
Member

kdaily commented Nov 10, 2020

Hi @stawii ,

Which part of the documentation are you referring to? This specific environment variable (AWS_ROLE_ARN) is only available when assuming a role via the web identity provider, as noted here under "Assume Role with Web Identity":

These environment variables currently apply only to the assume role with web identity provider. They don't apply to the general assume role provider configuration.

It would be a feature request to extend the use of this environment variable. I marked it for documentation to clarify that in other sections. Let me know if this is unclear, thanks!

@stawii
Copy link

stawii commented Nov 16, 2020

@kdaily - yeah.. its clear now, somehow I've missed big box with "note" header... it should be named "READ THIS, DUMMY" ;)

@dannysauer
Copy link

dannysauer commented Jul 24, 2022

So, what I'm currently doing is

export AWS_PROFILE=myscript-12345
aws configure set role_arn arn:aws:iam::12345:role/somerole
aws configure set source_profile default

That kinda sucks, because it modifies the config file for what should just be a one-off thing (hence the myscript prefix). Any hope for actually making this env var work the way someone reasonable would expect (despite the docs providing a warning that it probably doesn't)? :)

@tim-finnigan tim-finnigan added the p2 This is a standard priority issue label Nov 11, 2022
tchiotludo added a commit to kestra-io/plugin-aws that referenced this issue Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
configuration documentation This is a problem with documentation. feature-request A feature should be added or improved. p2 This is a standard priority issue
Projects
None yet
Development

No branches or pull requests

6 participants