No default profile for AWS

Question

No default profile for AWS

holingpoon opened this issue 7 years ago · comments

Hello, @nonword and I went on an adventure with AWS Lambda deployment, and we discovered that if our machines have a [default] profile inside our .aws/config and .aws/credentials files, node-lambda npm library will look for default settings first and override the necessary KMS decryption settings. I am recommending that we should include a note on AWS Lambda to make sure our machines have no [default] on our aws credentials.

Stephen Tiberius Schor · Answer 1 · Sat Sep 09 2017 00:12:58 GMT+0800 (China Standard Time)

THANK YOU!
Do you feel like this commit in my pending PR addresses this?

Kevin Friedman · Answer 2 · Sat Sep 09 2017 00:33:02 GMT+0800 (China Standard Time)

I think maybe the bigger issue here is that all the AWS SDKs have a search order for finding credentials not explicitly provided to clients. And every SDK is a little different. I think we should ensure devs are aware of this behavior and the order in their particular SDK.

Node
http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html
Java
http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
PHP
http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/credentials.html

I'm not sure how/where to communicate this in our standards but I think this is important.

Ho-Ling Poon · Answer 3 · Sat Sep 09 2017 01:22:44 GMT+0800 (China Standard Time)

@kfriedman Would it make more sense to include this guideline in Development environments standards? That's usually part of the onboarding process and when developers start setting up working environment.

On that note, @nodanaonlyzuul I think we should keep your newest commit, then refactor someday when it makes more sense to just keep the default profile issue on one of the other standards pages.

Paul Beaudoin · Answer 4 · Sat Sep 09 2017 01:31:20 GMT+0800 (China Standard Time)

@kfriedman Good idea to check, but are the SDKs different? That Node link shows credential loading "in order of recommendation". I'm not sure that can be directly compared to the other two. Having trouble finding documentation of actual precedence in node aws-sdk, and the code itself is complex. But I think our main concern is whether env creds override ~/.aws creds, right? I think they must in all sdks or else one's [default] profile would always clobber over one's environment, which is not the case. I think the first place all sdks check is the environment. Failing that, it loads [default] from ~/.aws. Failing that, no creds are available until explicitly setting them in code (e.g. aws.config.credentials = new aws.SharedIniFileCredentials({ profile: 'nypl-digital-dev' }))

Stephen Tiberius Schor · Answer 5 · Sat Sep 09 2017 04:53:17 GMT+0800 (China Standard Time)

Closed in #38 I believe. Please reopen if I'm wrong!